Researchers at Google have identified an iOS exploit chain, named DarkSword, that has been used since late last year by multiple actors to infect iPhones with malware in targeted attacks.
DarkSword combines six vulnerabilities in iOS and Safari to deploy malware on the device. It demonstrates, once again, how important it is to keep up with updates.
The exploit works against iPhones running iOS versions 18.4 through 18.7, and simply visiting a malicious or compromised website with a vulnerable device can be enough to get infected (a drive‑by attack).
The researchers found that several groups are using the tool to attack their preferred targets. DarkSword has been used both by commercial spyware vendors and by state‑backed actors, with campaigns observed in Saudi Arabia, Turkey, Malaysia, and Ukraine.
In Saudi Arabia, attackers used a fake Snapchat lookalike. In Ukraine, attackers compromised at least two Ukrainian websites, including a government site.
Upon successful exploitation, malware is executed on the device. The type of malware depends on the attacker. In the Ukrainian campaign, that malware is known as Ghostblade, one example of a payload delivered via the DarkSword exploit chain.
Ghostblade is a JavaScript‑based data‑stealer that exfiltrates unique device identifiers, SMS and iMessage messages, call history, contacts, Wi‑Fi configuration and passwords, Safari cookies and browsing history, location data, notes, calendar entries, health data, photos, iCloud Drive files, SIM information, emails, a list of installed apps, saved passwords, and the message history from Telegram and WhatsApp.
Beyond this, Ghostblade stands out because it also targets cryptocurrency‑related data, actively seeking apps for major exchanges (Coinbase, Binance, Kraken, Kucoin, OKX, Mexc) and wallet apps (Ledger, Trezor, Metamask, Exodus, Uniswap, Phantom, Gnosis Safe). Researchers note that Ghostblade is not built for long‑term surveillance: once it has collected the data, it deletes its temporary files and terminates itself.
Vulnerable devices can be infected just by visiting that one malicious or compromised website. And the consequences can be severe. DarkSword turns a single website visit into full device compromise, followed by Ghostblade exfiltrating as much data as it can in one go.
- Data theft: Ghostblade and related payloads can grab communications (SMS, iMessage, Telegram, WhatsApp, email), photos, health data, location history, Wi‑Fi credentials, keychain items, and more in one sweep.
- Crypto theft and profiling: The malware enumerates specific exchange and wallet apps, which allows both direct theft and lets criminals use the stolen information to build a detailed profile of financially interesting targets.
- Forensic evasion: Because Ghostblade wipes its own traces after stealing all that information, it can take a long time before victims figure out something is wrong. Many victims may never know they were compromised.
Since the same exploit kit is being reused across commercial surveillance firms and state‑aligned actors, the number of campaigns and victims will increase over time.
Update to the latest iOS available for your device. DarkSword can affect iOS versions 18.4 through 18.7, and Apple’s recent releases include fixes for CVE‑2026‑20700 and related vulnerabilities.
If you have reason to believe you’re a potential target for attacks of this nature (journalists, activists, or people that have access to sensitive data) it is advisable to enable Lockdown Mode:
- Open the Settings app.
- Tap Privacy & Security.
- Scroll down, tap Lockdown Mode, then tap Turn On Lockdown Mode.
- Read the presented information and tap Turn On Lockdown Mode.
- Tap Turn On & Restart.
- Enter your device passcode when prompted.
Do inform yourself about the consequences of turning on Lockdown Mode. It makes your device a lot less user-friendly, but it has proven effective against highly targeted attacks.
Here are some more general tips:
- Use up-to-date, real-time anti-malware protection for your device to block malicious websites where possible.
- Avoid following links sent in unsolicited messages, especially for services like Snapchat, crypto exchanges, banking, or email.
- Use content blockers (for example Malwarebytes Browser Guard) in Safari to reduce exposure to malicious content (though they are not a silver bullet for zero‑days).
- Move high‑value crypto assets to hardware wallets or dedicated devices, and use mobile wallets only for smaller amounts.
- Use a password manager with strong authentication, and turn on extra security settings like Face ID/Touch ID and avoid auto‑filling high‑risk credentials.
- Enable multi-factor authentication (FIDO2 security keys or app‑based 2FA) on exchanges and financial accounts, so stolen passwords alone are not enough to plunder your accounts.
- Regularly review app permissions and revoke access to sensitive data (Location, Photos, Contacts, Microphone, Camera, Health) revoke where unnecessary.
We don’t just report on phone security—we provide it
Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.
