iPhone mass‑hack patched

Google’s Threat Intelligence Group labeled the exploit chain “DarkSword” after recovering payloads and said toolmarks show multiple commercial surveillance vendors and suspected state-sponsored actors used the chain, with activity traceable to at least November 2025. (cloud.google.com) Analysis of recovered payloads shows DarkSword leverages multiple zero‑day WebKit flaws to deploy backdoors that can steal messages, call recordings, signed‑in accounts, saved passwords and cryptocurrency wallet data. (theregister.com) Researchers identified a cross‑origin bypass in the Navigation API that allowed malicious web content to evade Same Origin Policy protections in WebKit, a defect addressed by Apple’s Background Security Improvements. (9to5mac.com) Telemetry and threat‑intel firms linked operational use of the kit to a Russian‑linked group tracked as UNC6353 in attacks on Ukraine, while separate campaigns repackaged the same chain for broader espionage and criminal use. (securityweek.com) Investigators say the exploit was staged from dozens of compromised Ukrainian websites beginning in late 2025 and that public reporting intensified in March 2026 as cross‑lab analysis revealed wider reuse. (msn.com) Security writeups note the chain can exfiltrate device location traces and app‑stored data, raising exposure risks for apps that surface telemetry and location signals through third‑party SDKs. (darkreading.com) Apple’s Background Security Improvements operate between full OS releases, were tested in iOS 26.3 betas, are available only on up‑to‑date devices and can be installed from Settings > Privacy & Security. (macrumors.com)