Apple warns of iPhone exploit chain

Google’s Threat Intelligence Group has named the new chain “DarkSword,” which GTIG says has been observed since November 2025 and strings together six vulnerabilities to fully compromise iOS devices running iOS 18.4–18.7. (cloud.google.com) GTIG says DarkSword operators deploy three final-stage payload families — GHOSTBLADE, GHOSTKNIFE and GHOSTSABER — with capabilities to dump Keychain stores, steal Safari cookies, messages, photos, location history and app data including crypto-wallet files. (cloud.google.com) (bleepingcomputer.com) Lookout and iVerify researchers working with Google detail DarkSword’s delivery via compromised “watering‑hole” and scam sites that load obfuscated JavaScript into Safari frames to trigger the chain. (cloud.google.com) (lookout.com) GTIG links DarkSword usage to multiple commercial surveillance vendors and suspected state‑backed clusters — citing activity by UNC6748 and UNC6353 — against targets in Saudi Arabia, Turkey, Malaysia and Ukraine. (cloud.google.com) Google said it reported the underlying flaws to Apple in late 2025 and that Apple issued fixes with iOS 26.3, followed by a Background Security Improvements release iOS 26.3.1 (a) this month to address related WebKit issues. (cloud.google.com) (macobserver.com) Apple’s App Store–based metrics measured on Feb. 12, 2026 show 66% of active iPhones running iOS 26 and 24% still on iOS 18, statistics security teams cite when estimating the size of the population that could remain on vulnerable 18.x builds. (macrumors.com) (cloud.google.com) Independent reporting places the exposed‑device estimate in the hundreds of millions — outlets have published ranges between about 220 million and 270 million iPhones potentially running affected 18.x builds — and Google says it has added DarkSword delivery domains to Safe Browsing to block active sites. (tomsguide.com) (criptor.net) (cloud.google.com)