Last week, cybersecurity researchers discovered a hacking campaign targeting iPhone users using an advanced hacking tool called DarkSword. Now, someone has leaked the latest version of DarkSword and posted it on code-sharing site GitHub.
Researchers warn that this could make it easier for hackers to use the tool to target iPhone users running older versions of Apple’s operating system who have not yet updated to the latest iOS 26 software. According to Apple’s own data on older devices, this will likely affect hundreds of millions of actively used iPhones and iPads.
“This is bad. It’s too easy to repurpose,” Matthias Frielingsdorf, co-founder of mobile security startup iVerify, told TechCrunch on Monday. “I don’t think we can contain it any longer, so we should expect criminals and other people to start distributing it.”
Frielingsdorf said these new versions of DarkSword spyware share the same infrastructure as those he and his iVerify colleagues previously analyzed, but the files are slightly different. He said files uploaded to GitHub aren’t complicated, and anyone with just HTML and JavaScript can copy and paste a file and host it on a server “within minutes to hours.”
“These attacks will work immediately,” Frielingsdorf said. “No iOS expertise required.”
Kimberly Samra, a Google spokeswoman who previously analyzed the DarkSword exploit, said Google researchers agree with Frielingsdorf’s assessment.
Contact us
Do you have any additional information about Darksword, Coruna, or other government hacking and spyware tools? You can contact Lorenzo Franceschi-Bicchierai securely via Signal at +1 917 257 1382 from a non-work device, or via Telegram, Keybase and Wire @lorenzofb or via email.
A security enthusiast named matteyeux also told TechCrunch that using the leaked DarkSword sample was really trivial. Matteyeux wrote in a post on
Tech Crunch Event
San Francisco, California
|
October 13-15, 2026
Apple spokesperson Sarah O’Rourke told TechCrunch that the company is aware of attacks targeting devices running outdated, outdated operating systems and issued an emergency update on March 11 for devices that cannot run the latest version of iOS.
“Keeping your software up-to-date is the most important thing you can do to keep your Apple products secure,” O’Rourke said, adding that devices with updated software installed are not at risk from reported attacks and that lockdown mode will also block these specific attacks.
A spokesperson for Microsoft, which owns GitHub, did not immediately respond to a request for comment.
The code that TechCrunch didn’t link to because it could be used in active attacks includes some comments explaining how the exploit works and how it was implemented.
One comment, believed to be from one of the developers working on DarkSword, said the exploit “reads and extracts forensics-related files from iOS devices via HTTP.” This means stealing information from an individual’s iPhone or iPad and sending that data over the Internet to an attacker-controlled server.
The comment says “This payload must be injected into a process with the file system access class.”
In one case, the code references “post-exploitation activities” and describes the process after the malware accesses an individual’s phone, hijacks content such as the iOS Keychain, which stores contacts, messages, call logs, Wi-Fi passwords and other secrets, and dumps them on a remote server.
Another file contained data being uploaded to a popular Ukrainian clothing website, but TechCrunch could not immediately confirm why. DarkSword was reportedly used by Russian government hackers against targets in Ukraine.
According to iVerify, Google, and Lookout, which previously analyzed the DarkSword malware, this particular spyware works specifically on iPhones and iPads running iOS 18.
According to Apple’s own figures, about a quarter of all iPhone and iPad users are still running iOS 18 or lower on their devices. It has over 2.5 billion active devices, which equates to hundreds of millions of people with devices vulnerable to DarkSword attacks.
That’s why Frielingsdorf recommends everyone to upgrade their iPhone operating system.
DarkSword’s discovery comes just weeks after researchers discovered another advanced iPhone hacking toolkit known as Coruna. As TechCrunch reported, Coruna was originally developed by L3Harris, a division of Trenchant that makes hacking tools for the U.S. government and its allies.
