A sophisticated iPhone hacking toolkit used by state-backed spies and commercial surveillance vendors has been leaked publicly on GitHub, transforming what was once a tightly controlled cyberweapon into a freely available tool that virtually any cybercriminal can now deploy against unpatched Apple devices.
The exploit kit, known as DarkSword, was first uncovered by cybersecurity researchers last week as part of a hacking campaign targeting iPhone users. Someone then leaked a newer version and published it on the code-sharing platform GitHub, dramatically escalating the global threat.
Researchers warned that the leak allows any hacker to easily target iPhone users running older versions of Apple’s operating systems who have not yet updated to the latest iOS 26 software, a population that likely numbers in the hundreds of millions based on Apple’s own data on out-of-date devices.
DarkSword chains six vulnerabilities to achieve remote code execution on vulnerable iPhones and deploy malicious payloads, with three of those vulnerabilities exploited as zero-days before Apple patched them. Zero-day vulnerabilities are previously unknown security flaws that software makers have had no time to fix.
Three of the vulnerabilities target WebKit, the browser engine used by Apple’s Safari and all web browsers on iOS. Two others are in the iOS kernel, and one is in the Dynamic Link Editor (dyld) component of Apple’s operating systems.
What makes the GitHub leak particularly alarming is how little technical skill is now required to mount an attack. Matthias Frielingsdorf, co-founder of mobile security startup iVerify, told TechCrunch: “This is bad. They are way too easy to repurpose. I don’t think that can be contained anymore. So we need to expect criminals and others to start deploying this. The exploits will work out of the box. There is no iOS expertise required.”
The threat has already been demonstrated. A security researcher who goes by the handle matteyeux told TechCrunch he was able to hack an iPad mini tablet running iOS 18 using the publicly circulating DarkSword sample.
From Spy Tool to Public Weapon
Google’s Threat Intelligence Group (GTIG), iVerify, and Lookout had previously revealed that DarkSword was wielded by multiple threat actors in distinct campaigns targeting Saudi Arabia, Turkey, Malaysia, and Ukraine since at least November 2025. Among them was a suspected Russian espionage group and a Turkish commercial surveillance vendor known as PARS Defense.
Upon successful exploitation, malware is executed on a victim’s device, with the type depending on the attacker. One payload, known as Ghostblade, is a JavaScript data-stealer that exfiltrates device identifiers, messages, call history, contacts, Wi-Fi passwords, Safari browsing history, location data, photos, emails, and saved passwords. It also specifically targets cryptocurrency exchange apps including Coinbase, Binance, and Kraken, as well as crypto wallet applications.
The leaked code on GitHub contains developer notes describing the exploit’s processes and capabilities, including instructions that outline obtaining an iPhone user’s contacts, call history, messages, and iOS keychain, then uploading the information to a remote server.
Apple’s Response and What Users Must Do
Apple spokesperson Sarah O’Rourke confirmed the company was aware of the exploit targeting devices running older operating systems and issued an emergency update on March 11 for devices unable to run recent versions of iOS, adding: “Keeping your software up to date is the single most important thing you can do to maintain the security of your Apple products.”
iOS 26.3 and newer, as well as iOS 18.7.3, patch all the vulnerabilities used by DarkSword. Even older devices received patches through iOS 15.8.7 and iOS 16.7.15.
For users in high-risk professions such as journalists, activists, or those with access to sensitive data, Apple recommends enabling Lockdown Mode via Settings, then Privacy and Security. Apple has confirmed that Lockdown Mode blocks these specific DarkSword attacks.
DarkSword arrives only weeks after researchers disclosed a separate iPhone exploit chain called Coruna, which contains five full iOS exploit chains and a total of 23 exploits targeting vulnerabilities with and without a Common Vulnerabilities and Exposures (CVE) identifier. Security researchers say the back-to-back disclosures mark an unprecedented period of exposure for Apple’s mobile platform.
