A Single Website Visit Can Now Compromise Your IPhone — Hundreds Of Millions May Be Exposed

A new and highly capable iPhone exploit that requires nothing from its target beyond loading a webpage has been documented by three major cybersecurity organisations, marking the second such disclosure within a single month and signalling what researchers describe as a maturing underground market for mobile spyware.

The exploit, internally named DarkSword, was detailed in coordinated reports published Wednesday by Google’s Threat Intelligence Group, mobile security firms Lookout and iVerify. Its discovery follows the March 3 disclosure of a separate tool called Coruna — and both exploit chains were traced to overlapping server infrastructure.

How DarkSword Works

The attack begins the moment a vulnerable iPhone loads a compromised webpage in Safari. Hidden within the page’s code is a malicious iframe that triggers a chain of six distinct vulnerability exploits, progressively dismantling the security layers Apple has built into iOS — sandbox restrictions, memory protections, and kernel access controls — until the attacker has full reach into the device.

The kill chain begins with Safari encountering the malicious iframe embedded in a web page. Once loaded, DarkSword breaks out of the WebContent sandbox and then leverages WebGPU to inject into system processes. From there, the malware executes a main orchestrator script that coordinates several smaller components, each harvesting a different category of data.

Three separate malware families have been deployed following a successful DarkSword compromise: GHOSTBLADE, a JavaScript dataminer that collects crypto wallet data, browser history, photos, location data, and communications from iMessage, Telegram, WhatsApp, email, and calls; GHOSTKNIFE, a backdoor capable of exfiltrating account data, messages, location history, and recordings; and GHOSTSABER, which can enumerate devices and accounts, list files, and execute remote JavaScript code.

ALSO READ E-Waste From a Single Bitcoin Transaction Is Like Throwing Away Two iPhone 12 Minis

Unlike long-term surveillance implants, DarkSword behaves like a smash-and-grab tool. Once it finishes exfiltrating the data it wants, it removes its working files and exits — with dwell time measured in minutes rather than months. That brevity makes forensic detection and victim notification significantly harder.

Who Is Using It and Against Whom

Google said its researchers observed multiple commercial surveillance vendors and suspected state-linked actors using DarkSword in distinct campaigns against targets in Saudi Arabia, Turkey, Malaysia, and Ukraine.

In November 2025, a threat cluster tracked as UNC6748 used a Snapchat-themed website to target Saudi Arabian users, deploying the GHOSTKNIFE backdoor. In late November and into January 2026, Turkish commercial surveillance vendor PARS Defense used the exploit against targets in Turkey and then Malaysia, deploying GHOSTSABER. PARS Defense did not respond to requests for comment.

UNC6353, a suspected Russian state-sponsored actor previously observed using the Coruna exploit kit, also used DarkSword against Ukrainian targets, deploying GHOSTBLADE — which collected a wide variety of information including location history, photos, calendar entries, notes, cryptocurrency wallet data, and Safari browsing history.

The Scale of Exposure

While Apple has patched the vulnerabilities DarkSword relied on, researchers estimated that as many as 220 to 270 million iPhones globally still run older software and remain potentially vulnerable — a problem compounded by uneven adoption of security updates.

That estimate has particular weight in Africa. Across Nigeria and much of the continent, delayed software updates are common — driven by mobile data costs, storage constraints, and limited awareness of security patch cycles. Journalists, lawyers, activists, NGO staff, and executives who handle sensitive communications on their phones face direct exposure if their devices remain unpatched.

ALSO READ Building Cyber Readiness Early: Why Youth Education Is a Security Imperative in Africa

Justin Albrecht, a principal researcher at Lookout, told Reuters that there is now a verified pipeline of recent exploits that have fallen into the hands of potentially criminal entities with a financial focus — a notable shift from the state-level intelligence apparatus that historically developed such tools.

Rocky Cole, co-founder and COO of iVerify, added that the discovery of two powerful iOS exploits in one month points to a robust ecosystem of tools once limited to state intelligence agencies.

What You Should Do

Apple has already patched the six vulnerabilities that DarkSword exploits. All vulnerabilities were addressed with the release of iOS 26.3, though most were patched in earlier updates. Google has also added the malicious domains involved in DarkSword delivery to Safe Browsing.

For users who cannot immediately update, security researchers recommend enabling Lockdown Mode in iOS settings as an interim protection measure. iVerify has also made its iVerify Basic app available free of charge until May, allowing any iPhone user to check their device for signs of infection.

The broader implication of DarkSword — and of Coruna before it — is that spy-grade mobile exploits are no longer the exclusive domain of intelligence agencies or boutique surveillance vendors. They are being traded, repurposed, and deployed by a widening set of actors, some with financial motives rather than geopolitical ones. For African institutions and individuals who rely on mobile as their primary computing environment, this is not a distant concern.