John Z Black
Brunswick, ME • (207) 245-1010 • contact@johnzblack.com
For years, the mental model on iPhone security went roughly like this: nation-state spyware like Pegasus exists, but it’s expensive, carefully targeted, and not something ordinary users need to worry about. Keep your phone updated. Probably fine.
That model needs revision.
What DarkSword Is
DarkSword is an iOS exploit kit documented this week by researchers at Google’s Threat Analysis Group, iVerify, and Lookout – three major research organizations publishing together, which is not routine. What it does: serve malicious code from compromised websites that can silently compromise iPhones running iOS 18 or earlier with no user interaction beyond visiting a page. No install prompt. No alert. Just a visit to an infected site.
“A vast number of iOS users could have all of their personal data stolen simply for visiting a popular website,” iVerify’s CEO told reporters. Not targeted users of specific apps. A vast number of iOS users on ordinary websites that happen to have been compromised. Russian threat actors have been observed using DarkSword in espionage campaigns. iOS 18 was still running on roughly 25% of iPhones as of February 2026.
Coruna: The Government-Targeted Component
Alongside DarkSword, a companion toolkit called Coruna was found deployed specifically against US government officials. Mass-deployment capability against broad populations, paired with targeted tools for high-value individual targets. That’s how the iOS exploitation market has evolved.
If a government official’s iPhone is compromised, their communications, contacts, calendar, location history, and authenticated app sessions become available to whoever deployed the kit. The “I use a secure messaging app” defense requires the endpoint to be trustworthy.
How the Risk Picture Changed
The old concern was a link-based attack – you had to click something. DarkSword’s drive-by model requires only that you visit. Ordinary browsing does that constantly. This moves iPhone security from a user-action problem to an exposure problem.
For everyone: Update to iOS 26 now. This closes the known DarkSword vulnerabilities. The standard advice to stay current has never been more concrete.
For higher-risk individuals: Government employees, journalists, executives. Consider Lockdown Mode. It’s designed for users facing nation-state level targeting and meaningfully reduces the attack surface. There are usability tradeoffs. For people who actually face this risk, the tradeoff is worth it.
For organizations: MDM policies should enforce iOS version minimums. An unpatched employee iPhone accessing corporate email or Slack isn’t just a personal risk.
“iOS Is Secure” Was Always Relative
Apple’s security model is genuinely strong. None of that changed. What changed is the adversarial investment directed at it. Over a billion active devices, carrying communications from government officials, executives, journalists, lawyers – the return on iOS exploit research scales accordingly.
The Pegasus era showed nation-state actors would spend heavily for high-value individual targets. DarkSword and Coruna show the market evolved: general-purpose exploitation at lower cost, available to more operators, deployed at website scale.
Update. Now.