If you’ve been putting off an update to iOS 26, now might be the time to do it. On Wednesday, security researchers published findings on a new hacking tool that targets iPhones running iOS 18.4 to 18.6.2, as reported earlier by Wired. The “DarkSword” exploit allows bad actors to scoop up the personal information on iPhones that visit malicious links, and has already been used by Russian hackers.
The Google Threat Intelligence Group worked with the cybersecurity firms Lookout and iVerify to analyze the attack, which could affect up to 270 million devices still running the impacted versions of iOS 18. When a user accesses a compromised website, Google says DarkSword uses “six different vulnerabilities” to carry out an attack targeting Safari, giving bad actors the ability to collect text messages, contacts, saved credentials, iCloud files, photos, cryptocurrency wallets, call logs, location history, and more.
Google says it reported the vulnerability to Apple in late 2025. In an emailed statement to The Verge, Apple spokesperson Sarah O’Rourke confirmed that Apple had patched all “underlying vulnerabilities” in iOS last year before issuing an “emergency software update last week for older devices that were unable to update to more recent versions of iOS.”
DarkSword uses a “hit-and-run” design that allows attackers to “extract high-value data and disappear before traditional detection methods can respond,” according to Lookout. Google says suspected Russian state-sponsored hackers used DarkSword to target users in Ukraine, Saudi Arabia, Malaysia, and Turkey. These hackers were also discovered using an iOS exploit kit called Coruna, which Google highlighted in a report earlier this month. iVerify notes that the Russia-linked hackers left the DarkSword code “unobfuscated, unprotected and easily accessible,” making it easy for other bad actors to access and potentially redeploy.
Google, Lookout, and iVerify found that the attack doesn’t impact users in Lockdown Mode, an “extreme” security feature for the iPhone that protects journalists, activists, and politicians from targeted attacks. Apple and Google have also blocked the malicious links used in DarkSword attacks in Safari and Chrome.
“Keeping software up to date remains the single most important thing users can do to maintain the high security of their Apple devices as these updates include the latest security fixes and protections,” O’Rourke says.
