New ‘DarkSword’ Leak Puts Millions of iPhones at Risk After Initial Attack
A newly leaked version of the DarkSword exploit kit is raising fresh concerns among security researchers, turning what was once a targeted iPhone attack into a widely accessible threat.
The tool, now publicly available online, dramatically lowers the barrier for attackers to compromise outdated Apple devices.
Unlike earlier DarkSword campaigns that relied on compromised websites and coordinated infrastructure, this leak makes the exploit far easier to deploy. Security experts warn that millions of iPhones running older iOS versions could now be exposed to opportunistic attacks from less experienced attackers.
From targeted attack to public exploit
Earlier reporting on March 19 showed that DarkSword was operating as a “watering hole” attack, silently infecting users who visited compromised websites. That version required attackers to control web infrastructure and carefully position targets.
Now, a newer variant has been leaked publicly on GitHub, according to TechCrunch. This new leak removes many of the technical and operational barriers that previously limited its use.
“This is bad. They are way too easy to repurpose,” Matthias Frielingsdorf, co-founder of iVerify, told TechCrunch. “I don’t think that can be contained anymore,” Frielingsdorf added.
Frielingsdorf said the exploits consist of simple HTML and JavaScript files that can be quickly deployed. “The exploits will work out of the box. There is no iOS expertise required,” Frielingsdorf emphasized.
Additional reporting from 9to5Mac noted that making the code public significantly increases the likelihood of widespread abuse.
Millions of outdated devices remain vulnerable
The scale of exposure remains significant. According to TechCrunch, Apple’s data shows that about one-quarter of iPhones are still running the older iOS versions, leaving hundreds of millions of devices vulnerable.
TechCrunch highlighted that the exploit’s capabilities mirror earlier findings. Once triggered, it can extract sensitive data such as contacts, messages, call logs, and stored credentials and transmit it to attacker-controlled servers.
AppleInsider also reported that the leaked code outlines post-exploitation activity, including how attackers can access iOS keychain data and upload stolen information to a remote server.
Researchers have described DarkSword as a fileless-style attack that uses legitimate system processes, making it harder to detect. The leaked version doesn’t change how the exploit works, but it significantly lowers the barrier to deploying it.
Apple urges updates as risk grows
TechCrunch reported that Apple had already issued an emergency update on March 11 for devices that could not run the newer version of iOS. Devices running updated software aren’t affected.
“Keeping your software up to date is the single most important thing you can do to maintain the security of your Apple products,” Apple spokesperson Sarah O’Rourke told TechCrunch.
For organizations, the leak increases the urgency of identifying unmanaged or outdated devices, especially in bring-your-own-device environments. Security teams may need to prioritize visibility into OS versions and enforce update policies more aggressively to reduce exposure as exploit code becomes easier to deploy.
Learn how the previously reported DarkSword iPhone exploit works and what steps you can take to protect your device from emerging threats.
About Author
