Cybersecurity researchers have recently uncovered a sophisticated attack chain known as DarkSword, capable of successfully compromising Apple devices running iOS versions 18.4 to 18.7. This attack framework exploits six previously unknown zero-day security vulnerabilities to deploy surveillance malware on targeted iPhones. Active attacks have been detected in countries including Saudi Arabia, Ukraine, Malaysia, and Turkey, indicating a wide deployment range.
The DarkSword framework can install data-stealing malware with capabilities ranging from authentication credentials and communication logs to geolocation information. In this malicious campaign, cryptocurrency applications and digital wallets have become primary targets. Users can become infected simply by visiting weaponized web pages, with the entire process requiring no clicks or downloads.
Security analysts have documented at least three distinct malware variants distributed by DarkSword: Ghostblade, Ghostknife, and Ghostsaber. These malware payloads can rapidly exfiltrate target information and automatically remove themselves from infected systems after completing their tasks.
Ghostblade Malware Focuses on Attacking Cryptocurrency Applications
In addition to stealing digital currency, Ghostblade can collect text messages, iMessages, call logs, and contact lists from compromised devices. This spyware also extracts Wi-Fi passwords, Safari browser cookies, browsing history, and GPS coordinates. Furthermore, it can access Apple Health records, photo libraries, and conversations from messaging platforms like Telegram and WhatsApp.
Ghostblade employs a "smash and grab" strategy, clearing temporary traces and self-destructing after data exfiltration to minimize forensic evidence left on the infected device. The deployment of Ghostblade via DarkSword highlights the increasing threats faced by cryptocurrency holders.
Global Attack Distribution and Technical Operations
DarkSword's deployment has been confirmed through weaponized websites and hijacked government sites. Users in Saudi Arabia were reportedly lured by a fake page disguised as a Snapchat theme, which hosted DarkSword's exploit code. The attack framework injects malware payloads by generating hidden iframes and retrieving remote code execution modules.
Security teams disclosed these vulnerabilities to Apple at the end of 2025, and a fix was released in iOS version 26.3. Domains associated with DarkSword distribution have been added to browser security databases. iPhone users should immediately install the latest iOS updates or enable Lockdown Mode to defend against potential DarkSword attacks.
DarkSword poses a severe security challenge to global iOS cryptocurrency users. The rapid spread of its exploits and its adoption by various threat actors underscore the escalating risks to digital financial assets. Its comprehensive targeting of exchanges, wallets, and personal information further emphasizes the urgency of applying available security patches promptly.