Last week, cybersecurity researchers revealed a hacking campaign targeting iPhone users that used an advanced hacking tool called DarkSword. Now someone has leaked a newer version of DarkSword and posted it on the code sharing site GitHub.
Researchers warn that this would allow any hacker to easily use the tools to target iPhone users who are running older versions of Apple’s operating systems and have not yet updated to the latest iOS 26 software. This likely affects hundreds of millions of iPhones and iPads in active use, according to Apple’s own data on out-of-date devices.
“That’s bad. They’re very easy to reuse,” Matthias Frielingsdorf, the co-founder of mobile security startup iVerify, told TechCrunch on Monday. “I don’t think this can be contained anymore. So we have to wait for criminals and others to start using it.”
Frielingsdorf said these new versions of the DarkSword spyware share the same infrastructure as his colleagues at iVerify analyzed previouslyalthough the files are slightly different. The files uploaded to GitHub are not complex, just HTML and JavaScript, he said, meaning anyone can copy and paste them and host them on a server “in minutes to hours.”
“The exploits will work out of the box,” Frielingsdorf said. “No iOS expertise required.”
Google spokesperson Kimberly Samra, who previously analyzed the DarkSword exploitsaid the company’s researchers agree with Frielingsdorf’s assessment.
Contact us
Do you have more information about Darksword, Coruna, or other government hacking and spyware tools? From a non-working device, Lorenzo Franceschi-Bicchierai can be reached securely on Signal at +1 917 257 1382 or via Telegram, Keybase and Wire @lorenzofb or via email.
A security hobbyist who follows matteyeux also told TechCrunch that it is indeed trivial to use the leaked DarkSword samples. Matteyeux he wrote in a post on Monday X that he was able to hack an iPad mini tablet running iOS 18, the previous generation of the operating system vulnerable to DarkSword, using the DarkSword “in the wild” sample circulating online.
Techcrunch event
San Francisco, California
|
13-15 October 2026
Apple spokeswoman Sarah O’Rourke told TechCrunch that the company was aware of the exploit targeting devices running older and outdated operating systems, and issued an emergency update on March 11 for devices unable to run recent versions of iOS.
“Keeping your software up-to-date is the most important thing you can do to keep your Apple products secure,” O’Rourke said, adding that devices with updated software are not at risk from these reported attacks and that Lockdown mode will also block these specific attacks.
A representative for Microsoft, which owns GitHub, did not immediately respond to a request for comment.
The code, which TechCrunch is not linking to because it could be used in active attacks, contains several comments that describe how the exploits work and how to implement them.
A comment, likely written by one of the developers who worked on DarkSword, says the exploit “reads and infiltrates forensically relevant files from iOS devices via HTTP,” referring to stealing information from a person’s iPhone or iPad and sending the data over the Internet to a server controlled by attackers.
“This payload should be injected into a process with a file system access class,” the comment says.
In one case, the code refers to “post-exploit activity” and describes the process after malware gains access to a person’s phone and grabs its contents, including contacts, messages, call history and the iOS key, which stores Wi-Fi passwords and other secrets, and dumps them on a remote server.
Another file contains references to uploading data to a popular Ukrainian clothing website, though TechCrunch could not immediately determine why. DarkSword was reportedly used by Russian government hackers against Ukrainian targets.
This particular spyware works specifically against iPhones and iPads running iOS 18, according to iVerify, Googleand Stand-bywhich also previously analyzed the DarkSword malware.
According to Apple’s own numbersabout a quarter of all iPhone and iPad users are still running iOS 18 or earlier on their device. With more than 2.5 billion active devices, which likely equates to hundreds of millions of people whose devices are vulnerable to DarkSword attacks.
That’s why Frielingsdorf recommends everyone upgrade their iPhone’s operating system.
The discovery of DarkSword came just weeks after researchers discovered another advanced iPhone hacking toolkit known as Coruna. As TechCrunch reported, Coruna was originally developed by defense contractor L3Harris, whose Trenchant division makes hacking tools for the US government and its allies.
