Google announced that an advanced chain of iOS security vulnerabilities, dubbed “DarkSword”, has been actively exploited since late 2025 and has led to the compromise of numerous iPhones.
Google Threat Intelligence Group (GTIG), the company’s security unit, said these attacks specifically targeted iOS versions 18.4 and 18.7.
According to GTIG’s analysis, DarkSword combines multiple zero-day vulnerabilities, allowing for complete device compromise. One of the most notable components, the malware called “GHOSTBLADE,” is said to be capable of leaking sensitive information, including cryptocurrency wallet data and user credentials. This poses a serious security risk, especially for holders of crypto assets.
Google said the exploit chain has been active since at least November 2025 and is used by both commercial surveillance software providers and those suspected of being state-sponsored.
DarkSword reportedly exploited a total of six different vulnerabilities, and after a successful attack, three different malware families were activated: GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER. Google also reported that the UNC6353 group, previously known for using the “Coruna” iOS vulnerability kit and believed to be linked to Russia, has integrated DarkSword into its new attack campaigns.
The company said all identified vulnerabilities were reported to Apple in late 2025 and fully fixed with iOS 26.3. Google also announced that it had added the domain names used in spreading the attacks to its list of safe Internet domains.
Google warns users to update their devices to the latest version of iOS, and for those who can’t update, it recommends enabling “Lockdown Mode” as an added security measure. According to experts, obsolete devices are increasingly at risk, particularly due to cryptocurrency theft.
*This does not constitute investment advice.