The “DarkSword” attack, which can spread malware to unpatched iPhones, is now targeting potential victims through phishing emails.
Email security provider Proofpoint warned of the threat after detecting the emails in customers’ inboxes. They feature a link that leads to a malicious site hosting DarkSword, which abuses a range of iOS software vulnerabilities to remotely attack iPhones running iOS 18.4 to 18.7.
The phishing emails underscore the threat of DarkSword, an attack that was originally used by a handful of shadowy groups for cyberespionage and cybercrime. But last week, someone leaked the attack online, making it easy for anyone to adopt and potentially improve upon.
Proofpoint suspects Russia’s Federal Security Service is behind the phishing emails, which pretend to come from the Atlantic Council, a US think tank, and invite the user to a “closed-door strategic discussion” about Europe’s security. Russian dissident Leonid Volkov reported receiving one of the phishing emails.
In this case, the phishing emails are designed to target iPhone users via mobile browsers; DarkSword has infected iPhones that visit a malicious site via Safari.
“While activity from this [Russian] actor has historically been low volume, we’ve recently observed a modest increase, with campaigns reaching into the dozens of messages rather than single digits,” Proofpoint says. “The targeting appears primarily aligned to international organizations of interest, rather than focused on any specific country.”
The hacking campaign underscores why users, especially those on iOS 18.4 to 18.7, should update their iPhones as soon as possible. Apple has gone out of its way to publish a support page urging customers to update; it also released patches for phones that don’t support iOS 26.
“We released a software update for iOS 15 and iOS 16 on March 11, 2026, to extend protection to older devices that cannot update to the latest version of iOS,” the company added. “Devices with iOS 13 or iOS 14 must update to iOS 15 to receive these protections and will receive an additional alert to install a Critical Security Update in the next few days.”
