When it came about: Actively used in the wild since at least November 2025 by multiple actors (including suspected Russian group UNC6353 and commercial spyware vendors). Publicly disclosed March 18, 2026 by Google Threat Intelligence Group, iVerify, and Lookout in coordinated research. It was likely discussed/presented at RSAC 2026 (March 23–26, 2026).
iOS versions impacted: iOS 18.4 through 18.7 (variants tailored to specific sub-versions; estimated 100–270 million devices potentially affected at disclosure). Newer iOS 26.x and fully patched iOS 18.7.7+ are safe.
Current status (as of posting): Fully patched. Apple released fixes in iOS 26.3 (and earlier incremental updates) and issued a rare backport/expansion to iOS 18.7.7 (initial release March 24, 2026; wider automatic availability April 1, 2026) specifically to protect older iOS 18 devices still in use. The exploit kit was publicly leaked on GitHub ~March 23, 2026, increasing accessibility to lower-skilled actors, but updated devices are no longer vulnerable.
Is it a current threat? Only to unpatched devices on iOS 18.4–18.7. It is a real-world drive-by exploit: no user interaction beyond visiting a malicious or compromised website (e.g., watering-hole attacks on legitimate sites). Once triggered, it chains six vulnerabilities (Safari/WebKit RCE → sandbox escape → kernel privileges) for full compromise, quickly exfiltrates data (messages, credentials, crypto wallets, location, etc.), then self-cleans (“hit-and-run”). Post-leak, risk of broader use has risen, but patch adoption and Apple’s Safe Browsing blocks mitigate it for updated users.
The exploit is memory-resident with no reported file-based persistence (it cleans up after exfiltration). A reboot terminates processes and clears volatile memory, potentially stopping an active in-memory payload. However, it does not prevent successful exploitation if you visited a malicious site while vulnerable—any stolen data is already gone, and it is not a reliable mitigation or fix. Update immediately or enable Lockdown Mode.
Data exposure risk while infected (DarkSword exploit chain): Extremely high and broad. Once the drive-by exploit succeeded (via a single website visit on a vulnerable iOS 18.4–18.7 device), the payload achieved full kernel-level compromise. It then rapidly collected and exfiltrated a wide range of sensitive personal, communication, identity, location, and financial data — typically within seconds to a few minutes — before self-cleaning and exiting. No long-term persistence was observed, but the stolen data was sent to attacker-controlled servers over HTTPS and was permanently lost to the victim.
Key categories of data exposed (verified across Google GTIG, Lookout, and iVerify reports)
Communications & Messaging: SMS/iMessage database, WhatsApp/Telegram message histories, call logs, emails, contacts.
Credentials & Access: Device keychain (passwords, keys), saved Wi-Fi networks/passwords, Safari history/cookies, signed-in accounts, usernames/passwords.
Personal & Media Content: Photos (including metadata, hidden photos, screenshots), iCloud Drive files, Notes database, Calendar database, Health data.
Location & Device Info: Location history, SIM/cellular information, unique device/account identifiers, installed app list, device profiles.
Financial Targets: Cryptocurrency wallets and exchange data (e.g., Coinbase, Binance, Ledger, MetaMask, and others) — indicating dual espionage/financial motives.
Additional capabilities in some variants included taking screenshots, recording audio via microphone, and downloading further files from the C2 server.
The “hit-and-run” design meant the exposure was quick and stealthy, with temporary staging files deleted afterward, leaving minimal forensic traces on the device.
