A newer version of an advanced iPhone hacking tool called DarkSword has been publicly leaked on the code-sharing site GitHub. The leak comes just a week after cybersecurity researchers uncovered a hacking campaign utilizing the spyware to target iPhone users.
The public release of the exploit kit raises alarms, as it allows individuals to easily target iPhone and iPad users who are running older versions of Apple’s operating systems. According to Apple’s device data, about one-quarter of all active iPhone and iPad users—out of more than 2.5 billion active devices—are still running iOS 18 or earlier, which are vulnerable to this exploit. Apple’s latest software is iOS 26.
Matthias Frielingsdorf, the co-founder of the mobile security startup iVerify, stated that the leaked spyware is highly accessible and shares infrastructure with previously analyzed versions. “This is bad. They are way too easy to repurpose,” Frielingsdorf said. “I don’t think that can be contained anymore. So we need to expect criminals and others to start deploying this.”
Frielingsdorf explained that the files uploaded to GitHub consist simply of HTML and JavaScript. Because the tools are uncomplicated, individuals can copy, paste, and host them on a server in a matter of minutes or hours. “The exploits will work out of the box,” he noted. “There is no iOS expertise required.”
Researchers from Google, who previously analyzed the DarkSword exploit, concur with this assessment, according to Google spokesperson Kimberly Samra.
Demonstrating the ease of use, a security hobbyist known as matteyeux successfully utilized the circulating “in the wild” DarkSword sample to hack an iPad mini tablet running iOS 18.
Apple is aware of the exploit targeting devices with out-of-date operating systems. According to Apple spokesperson Sarah O’Rourke, the company issued an emergency update on March 11 specifically for devices unable to run recent versions of iOS.
“Keeping your software up to date is the single most important thing you can do to maintain the security of your Apple products,” O’Rourke stated. She added that updated devices are not at risk and that Apple’s Lockdown Mode blocks these specific attacks.
The leaked code contains comments detailing how the exploits function. One comment indicates that the payload “reads and exfiltrates forensically-relevant files from iOS devices via HTTP.” This process involves stealing information from the device and transmitting it over the internet to a server controlled by the attacker.
Further code references “post-exploitation activity” and outlines the process of extracting contents such as contacts, messages, call history, and the iOS keychain, which holds Wi-Fi passwords and other secrets.
One of the files also references uploading data to a popular Ukrainian apparel website. The DarkSword malware was allegedly utilized previously by Russian government hackers to target individuals in Ukraine.
A spokesperson for Microsoft, the parent company of GitHub, did not immediately respond to requests for comment regarding the hosted exploit kit.
The exposure of DarkSword follows the recent discovery of another advanced iPhone hacking toolkit called Coruna. That toolkit was originally developed by defense contractor L3Harris’s Trenchant division, which creates hacking tools for the United States government and its allies.