Security researchers expand exposé around the self-deleting DarkSword exploit chain that harnesses six vulnerabilities to steal data via malicious websites.

Three months on from a public threat disclosure and subsequent software patches, a no-click cyber threat to iPhones is still at large, rendering more than 200m devices worldwide continually vulnerable.

Earlier, security researchers from Lookout Threat Labs and iVerify had already exposed DarkSword, a sophisticated iOS exploit chain targeting hundreds of millions of iPhones.

Active since at least November 2025, this zero-click attack compromises devices merely by users visiting malicious websites via the Safari browser, affecting iOS versions 18.4 through 18.7.

DarkSword chains six vulnerabilities, including flaws in Safari and WebGPU (such as CVE-2025-31277 and CVE-2025-43529), to break out of the browser sandbox, gain kernel-level privileges, and deploy malware and backdoors.

No user interaction is needed for the malware to activate, beyond webpage access by the user.

The payload rapidly exfiltrates sensitive data (including saved passwords, SMS/iMessage, WhatsApp/Telegram databases, certain cryptocurrency wallets, iCloud files, photos, location history, call logs, and Wi-Fi credentials) before self-deleting in minutes to dodge detection.

So far, the exploit has been linked to multiple threat actors, including Russian-linked UNC6353 — previously tied to the Coruna chain — who injected code into Ukrainian domains for watering-hole attacks targeting Ukraine, Saudi Arabia, Turkey, and Malaysia. Other clusters like UNC6748, have deployed Snapchat-themed lures. Considering that AI-assisted extensions have been added to the modular malware platform, researchers suspect links to brokers like those in Russia’s Operation Zero.

Apple has so far patched all flaws after the late-2025 disclosure of the exploit, with fixes in iOS 18.7.3 and 26.3. Despite that, up to 270m devices remain vulnerable, with 15% of active iOS hardware in the affected range.

Experts urge immediate updates and Lockdown Mode activation on unsupported older devices, amid fears of backporting like with Coruna. “Advanced mobile malware has ceased to be a tool wielded solely by governments for espionage, and is now in the hands of groups seeking financial gain,” warned Lookout’s Justin Albrecht. This proliferation signals a new era of commercialized iOS threats.