Your iPhone does not need to do anything wrong for DarkSword spyware to get in. You just visit a website, a news outlet, a court’s official page, something you have been to a dozen times and the attack is already running before the page finishes loading.
Researchers at Google, Lookout, and iVerify confirmed this on March 18, 2026. DarkSword is a fully operational iOS exploit kit, already circulating among state-backed hackers, commercial spyware vendors, and financially motivated criminal groups simultaneously. iVerify puts the number of vulnerable iPhones somewhere between 221 and 296 million. Roughly one in five active iPhones on the planet, all reachable through the same attack chain.
That kind of infection method where just visiting a page is enough is called a drive-by exploit. It is the worst-case scenario in mobile security. And right now, it is not theoretical.
What is Ghostblade Malware? The Payload DarkSword Actually Drops
DarkSword breaks in. But what it installs once it is inside is the part worth understanding. Google found three distinct tools delivered by DarkSword: GhostBlade, GhostKnife, and GhostSaber. GhostBlade has done the most damage so far.
It is a JavaScript-based data thief that sweeps your phone clean in one pass. Messages, call logs, contacts, Wi-Fi passwords, Safari history, keychain passwords, photos, iCloud files, health data, location history, and the contents of any crypto wallet apps you have installed. It takes everything, then deletes its own tracks, crash logs wiped, staging files removed, gone before most detection tools even look.
GhostKnife plants a backdoor and captures audio. GhostSaber goes after SQL databases and structured file storage, the deeper app data that most malware skips. Together, the three tools give an attacker a complete picture of everything on the device.
One detail that does not get enough attention: Lookout found evidence that both DarkSword and the earlier Coruna kit were partially written with LLM assistance. The code contains unusually thorough internal documentation, the kind of commenting pattern that shows up when AI tools are used to build or expand a codebase. Spyware is now being developed faster because of AI. That changes the pace of this problem in ways the industry is still catching up to.
How to Check if Your iPhone is Hacked: 5 Warning Signs
GhostBlade is built to be invisible. You will not get a warning. The phone will not slow to a crawl. What you might notice, if you are paying attention:
- Battery dying faster than it did last week GhostBlade runs active JavaScript processes during exfiltration. Even a short session pulls power.
- Unexplained mobile data spikes stolen data has to go somewhere. Go to Settings > Cellular and check which apps are sending data in the background.
- The phone is warm when the screen is off, background processing generates heat. A hot idle phone is always worth investigating.
- Crypto wallet balance off GhostBlade specifically targets wallet apps. Any unexplained discrepancy should be treated as a red flag, not a glitch.
- Safari acting strange after a new site, unexpected redirects, tabs opening on their own, or a brief freeze right after loading a page you have not visited before.
iVerify is the most reliable detection tool available right now; it was part of the original investigation and scans for exactly the indicators GhostBlade leaves behind. Not free, but if you handle sensitive data professionally or hold meaningful crypto, it is worth it.
How to Protect Your iPhone from DarkSword Right Now
Apple has patched all six vulnerabilities in the DarkSword exploit chain. The final fix landed in iOS 26.3. The latest is 26.3.1. Here is what to do, in order:
- Update to iOS 26.3.1 or iOS 18.7.6 right now. Settings > General > Software Update. This one step closes every door DarkSword uses. Everything else below is secondary.
- Enable Lockdown Mode if you are a high-risk journalist, activist, government employee, or significant crypto holder. It breaks some everyday functionality but it blocks this class of web-based exploits effectively. Settings > Privacy & Security > Lockdown Mode.
- Clear Safari and close all tabs. DarkSword enters through a malicious iframe on a compromised page. Settings > Safari > Clear History and Website Data, then close every tab in the browser.
- Reset Network Settings. GhostBlade targets saved Wi-Fi credentials. Resetting forces re-authentication and confirms your network config has not been silently altered. Settings > General > Transfer or Reset iPhone > Reset > Reset Network Settings.
- Run iVerify. If you want actual confirmation your device is clean rather than just assuming the update covered it, this is the only tool the researchers themselves recommend. Crypto users: move holdings to a hardware wallet regardless.
Which iPhones Are Vulnerable? (Quick Check)
If you are on iOS 18 and have not updated recently, check the table below. The attack was built specifically for the iOS 18.4 to 18.7 window, though some of the underlying vulnerabilities go further back.
| iOS Version | Status | What to do |
| 18.4 – 18.6.2 | Vulnerable | Update now |
| 18.7 – 18.7.3 | Partially patched | Update to 18.7.6 |
| 18.7.6 | Safe | Nothing |
| iOS 26 – 26.2 | Partially patched | Update to 26.3.1 |
| iOS 26.3.1 | Safe | Nothing |
Older devices that cannot upgrade to iOS 26 are in a grey area. Apple has not confirmed whether it will backport the patches it did this for the earlier Coruna exploit, but has not committed here. Google’s guidance for those devices: enable Lockdown Mode now and wait for Apple’s confirmation.
Stacking DarkSword with Coruna, iVerify estimates the combined vulnerable range stretches from iOS 13 through 18.6.2. That is a significant portion of every iPhone currently in use.
Who is UNC6353 the Group Behind the Ghostblade Attacks?
Google tracks the group running the Ukraine campaign as UNC6353. Russian-backed, assessed to have both espionage and financial motives. They used Coruna first, switched to DarkSword in December 2025, and spent the following months running watering hole attacks against two specific Ukrainian sites: News of Donbas, an independent news outlet, and the Seventh Administrative Court of Appeals in Vinnytsia.
Ordinary visitors to those sites with no reason to be suspicious had their phones silently hit.
Here is what Lookout’s assessment actually says about this group: well-funded, well-connected, but not technically elite. They did not build DarkSword. They bought it. From commercial surveillance vendors operating in a grey market that most Western regulators cannot touch. That market, not any single hacking group, is the structural problem.
DarkSword has had at least three separate operators in five months. UNC6748 used it against Saudi users via a fake Snapchat site in November 2025. PARS Defense, a Turkish vendor, ran campaigns in Turkey and Malaysia. UNC6353 ran Ukraine. Same core exploit kit, different buyers, different targets, overlapping infrastructure. This is not a single operation. It is a product being sold.
Is iPhone Spyware Getting Harder to Stop?
Honestly, yes.
Not because Apple is doing a bad job, the company patched all six DarkSword CVEs before Google even published its report, which is a fast turnaround by any standard. The problem is that the supply of working iOS exploits is growing faster than the industry can contain it, and the barrier to using them keeps dropping.
DarkSword and Coruna are the first two complete iOS exploit kits found within a single calendar month. That has never happened before. For context: Pegasus, NSO Group’s spyware, spent years being treated as an exceptional tool so hard to build that only nation-states with serious resources could acquire it. That framing is now outdated. Operation Triangulation in 2023, the AirPlay vulnerabilities in May 2025, the USB Restricted Mode bypass in February 2026, Coruna on March 3rd, DarkSword on March 18th. That is a timeline, not a coincidence.
LLM-assisted malware development is accelerating the build cycle. Commercial vendors are lowering the access cost. More actors, more tools, more campaigns and a shrinking window between a working exploit existing and a patch being deployed. Apple closes the gap fast. But the gap is being used while it exists.
Summary: What iPhone Users Need to Do Today
DarkSword spyware targets iPhones running iOS 18.4 through 18.7, spreading through infected websites with no action required from the user. All six vulnerabilities are patched in iOS 26.3.1 and iOS 18.7.6. Updating now is the fix. For anyone handling sensitive data or crypto, Lockdown Mode and an iVerify scan add meaningful confirmation that the device has not already been hit.
Checklist
- Settings > General > Software Update do this first
- Update to iOS 26.3.1 or iOS 18.7.6
- Clear Safari history and close all tabs
- Reset Network Settings
- Enable Lockdown Mode if you are high-risk
- Move crypto to a hardware wallet
- Run iVerify for confirmation
The patch is free. The update takes three minutes. There is no good reason to stay in the vulnerable window.
No comments yet. Be the first to share your thoughts!