iPhone spyware surge

Lookout Threat Labs, iVerify and Google’s Threat Intelligence Group released coordinated technical findings on DarkSword on March 18, 2026, identifying it as a JavaScript‑based full‑chain iOS exploit that leverages multiple zero‑day vulnerabilities. (lookout.com) iVerify estimated the campaign targets devices running iOS 18.4 through 18.6.2 and warned up to 270 million iPhones could still be on those vulnerable builds. (iverify.io) Analysts say DarkSword’s payloads rapidly exfiltrate credentials, saved passwords, text messages, signed‑in accounts, cryptocurrency wallet data and location history, then attempt to erase forensic traces within minutes. (theregister.com) The delivery vector observed in disclosed cases was a watering‑hole chain hosted on dozens of compromised sites in Ukraine, including at least one gov.ua address used as a redirect to malicious payloads. (0e190a550a8c4c8c4b93-fcd009c875a5577fd4fe2f5b7e3bf4eb.ssl.cf2.rackcdn.com) Lookout and Google reported that multiple commercial spyware vendors and suspected state‑sponsored actors have adopted DarkSword since at least November 2025, and that campaign operators have used AI to customize exploit chains. (lookout.com) Apple pushed a Background Security Improvements patch labeled iOS 26.3.1 (a) that fixes a WebKit same‑origin/navigation API bypass tracked as CVE‑2026‑20643 and made the patch available via its Background Security Improvements mechanism on March 17–18, 2026. (support.apple.com) Indian authorities and major Indian outlets flagged the active campaign and relayed Apple’s advisory, with national press and CERT‑In coverage prompting broad public warnings in India this week. (timesofindia.indiatimes.com)