Active iPhone exploit — update now
A DarkSword exploit chain—originally government spyware—has been weaponized and can compromise up‑to‑date iPhones via a single malicious link, prompting urgent Apple patches and regulator advisories. The incident underlines why Apple’s fast, decoupled security updates and backend patch hygiene matter for app and API defenders. (x.com) (news.abplive.com)
Google’s Threat Intelligence Group, together with Lookout and iVerify, publicly disclosed the DarkSword iOS exploit chain in a coordinated report issued March 18, 2026. (cloud.google.com) The toolkit chains six distinct flaws — including three zero‑day vulnerabilities — to enable full device compromise on iOS 18.4 through 18.7. (thehackernews.com) Researchers say DarkSword has been in active use since at least November 2025 and has been adopted by multiple commercial surveillance vendors alongside suspected state‑sponsored operators. (cloud.google.com) Public estimates of potentially vulnerable iPhones range from about 220 million to 270 million devices, depending on the telemetry and OS version assumptions used by different firms. (tomsguide.com) Observed campaigns targeted users in Saudi Arabia, Turkey, Malaysia and Ukraine using compromised websites and themed landing pages, and at least one cluster of activity has been linked to the Russian‑tracked group UNC6353. (darkreading.com) Apple released fixes in iOS 26.3 and updated support documentation on March 18–19, 2026, marking the corrective release that addresses the exploit chain. (appleinsider.com) Analysts recovered infostealer payloads that exfiltrate credentials and cryptocurrency wallet data, underscoring why patched runtime components and tight backend access controls were focal points in vendor advisories. (bleepingcomputer.com)
