Last week, cybersecurity researchers uncovered a hacking campaign targeting iPhone users with an advanced tool called DarkSword. A newer version of DarkSword has now been leaked and published on GitHub.
Researchers warn that this allows hackers to target iPhone users running outdated Apple operating systems, impacting millions of iPhones and iPads according to Apple’s data on outdated devices.
“This is bad. They are too easy to repurpose,” Matthias Frielingsdorf, mobile security startup iVerify’s co-founder, told TechCrunch. “It can’t be contained anymore. We need to expect criminals to start deploying this.”
Frielingsdorf noted that the new DarkSword versions share infrastructure with previous ones he analyzed but differ slightly. The GitHub files, just HTML and JavaScript, are easy to copy and host on a server.
“The exploits will work out-of-box,” Frielingsdorf said. “No iOS expertise is required.”
Google spokesperson Kimberly Samra said their researchers agree with Frielingsdorf’s assessment.
A security hobbyist known as matteyeux confirmed to TechCrunch that it’s trivial to use the leaked DarkSword samples, having hacked an iPad mini running vulnerable iOS 18 using the circulating DarkSword sample.
Apple spokesperson Sarah O’Rourke told TechCrunch they’re aware of the exploit targeting outdated devices and issued an emergency update for those unable to run recent iOS versions.
“Keeping software updated is crucial for security,” O’Rourke said, adding that updated devices aren’t at risk, and Lockdown Mode blocks these attacks.
GitHub owner Microsoft didn’t immediately comment.
The code, not linked by TechCrunch due to its potential use in attacks, contains developer comments on exploit functions and implementations. A comment reveals the exploit “reads and exfiltrates forensically-relevant files from iOS devices via HTTP,” indicating information theft from iPhones or iPads to attacker-controlled servers.
“This payload should be injected into a process with filesystem access class,” a comment reads. Post-exploitation details include accessing phone contents like contacts, messages, call history, and keychain data sent to a remote server.
Another file mentions uploading data to a Ukrainian apparel website, though the reason is unclear. DarkSword was allegedly used by Russian hackers against Ukrainian targets.
The spyware targets iPhones and iPads running iOS 18, as confirmed by iVerify, Google, and Lookout. Apple’s data indicates about one-quarter of iOS devices are on version 18 or earlier, equating to hundreds of millions vulnerable to DarkSword attacks.
Frielingsdorf recommends upgrading iPhone operating systems.
DarkSword’s discovery followed another toolkit, Coruna, an advanced iPhone hacking tool. Coruna was initially developed by defense contractor L3Harris for the U.S. government and allies.