What is the DarkSword exploit kit?

DarkSword is a sophisticated exploit chain containing 6 vulnerabilities, including 3 zero-days, that can take full control of an iPhone through a JavaScript-based attack requiring no user interaction beyond visiting a compromised webpage.

How many iPhones are affected by DarkSword?

Security firm iVerify estimates approximately 221 million iPhones and iPads running iOS 18.4 through 18.6.2 are potentially vulnerable to the DarkSword exploit chain.

How do I protect my iPhone from DarkSword?

Update to iOS 19 or iOS 18.7.1 immediately. Enable Lockdown Mode if you are a journalist, activist, or high-risk user. Enable automatic updates and avoid clicking unknown links.

Who created the DarkSword exploit?

Google Cloud's Threat Intelligence Group traced DarkSword to nation-state actors as part of a campaign called Coruna, targeting dissidents and journalists before the tool was publicly leaked on GitHub.

Is DarkSword worse than Pegasus?

Security researchers consider DarkSword the most dangerous public iOS exploit leak since the Pegasus documentation in 2021, because the full exploit kit is now publicly available to any hacker, not just government clients.

What is DarkSword and why is it dangerous?

DarkSword is an iOS exploit kit that chains 6 vulnerabilities, including 3 zero-days, to achieve full privileged takeover of iPhones through a single webpage visit. It is exceptionally dangerous because it requires zero user interaction beyond opening a malicious page, and grants complete access to messages, camera, microphone, location, and all data on the compromised device. An estimated 221 million devices running iOS 18.4 through 18.6.2 are potentially vulnerable.

How can I check if my iPhone is affected by DarkSword?

Check your iOS version by going to Settings > General > About. If your device runs any iOS version from 18.4 through 18.6.2, it falls within the affected range. Apple released an emergency patch on March 11, 2026, so update immediately to the latest available version. Additionally, enabling Lockdown Mode provides an extra layer of protection as it has been confirmed to block the DarkSword exploit chain.

Does Apple Lockdown Mode protect against DarkSword?

Yes. Apple's Lockdown Mode has been confirmed to block the DarkSword exploit chain. It works by disabling many advanced web features that DarkSword requires to initiate its attack, including certain JavaScript APIs and WebKit functionalities. To enable it, go to Settings > Privacy & Security > Lockdown Mode. However, be aware that Lockdown Mode significantly restricts normal device functionality, including web browsing, messaging, and app features.

Who created DarkSword and why was it leaked?

According to Google's Threat Intelligence Group (GTIG), DarkSword was originally a state-linked surveillance tool used in targeted espionage campaigns. The motivation behind the public leak on GitHub around March 22-23, 2026 remains unconfirmed, but security researchers speculate it could be the work of a disgruntled insider or a deliberate destabilization tactic between rival threat groups. The leak has made this nation-state-level capability freely available to any sufficiently skilled attacker.

How does DarkSword compare to Pegasus spyware?

Technically, DarkSword is comparable to NSO Group's Pegasus in its ability to achieve full device compromise. However, DarkSword poses a far greater risk in terms of accessibility: while Pegasus was sold exclusively to governments for millions of dollars per deployment, DarkSword has been leaked publicly and freely on GitHub, making it available to anyone with sufficient technical skill. This represents the most significant public iOS exploit leak since Pegasus was exposed in 2021, potentially affecting 221 million devices worldwide.

Apple 2026: Siri AI, MacBook Neo, iPhone Fold & Intelligence | ZestLab

Severity: CriticalCVE-2026-XXXX

DarkSword: The Most Dangerous iPhone Exploit Kit Leaked Publicly

The DarkSword exploit kit, chaining 6 vulnerabilities including 3 zero-days, was publicly leaked on GitHub around March 22-23, 2026. An estimated 221 million iPhones running iOS 18.4 through 18.6.2 are at risk of full device takeover through a single malicious webpage visit.

Published: March 25, 2026 | cybersecurity

Photo: NurPhoto via TechCrunch

Devices Affected

Chained Vulnerabilities

Zero-Day Flaws

User Interaction Required

Key Takeaways

DarkSword chains 6 vulnerabilities including 3 zero-days for full privileged iPhone takeover via JavaScript
An estimated 221 million devices running iOS 18.4-18.6.2 are potentially vulnerable
Apple released an emergency patch on March 11; Lockdown Mode confirmed to block the attack
This is the most dangerous public iOS exploit leak since Pegasus in 2021

What Is DarkSword?

DarkSword is an iOS exploit kit developed by nation-state-linked threat actors. According to Google's Threat Intelligence Group (GTIG), this tool had been used in targeted surveillance campaigns before being publicly leaked. It represents one of the most sophisticated attack toolkits ever made publicly available.

The exploit operates entirely through JavaScript: a victim only needs to visit a weaponized webpage and the attack chain triggers automatically without any user interaction. Once compromised, the spyware gains full access to messages, camera, microphone, location, and all device data.

▸ If you're running iOS 18.5 on your iPhone, your device could be fully compromised by a single webpage visit

The Leak: What Happened

DarkSword exploit kit technical analysis from The Hacker News

Photo: The Hacker News

Around March 22-23, 2026, the complete source code of the DarkSword exploit kit was posted publicly on GitHub by an anonymous account. The repository contained full exploit code for all 6 vulnerabilities, including detailed deployment documentation and command-and-control infrastructure.

GitHub removed the repository within hours, but the source code had already been mirrored and widely circulated across underground security forums and Telegram channels. According to security researchers, this represents the most dangerous nation-state cyber weapon leak since NSO Group's Pegasus spyware was exposed in 2021.

▸ The exploit code is now in the hands of anyone with sufficient technical skill, no longer restricted to nation-state actors

DarkSword Exploit Chain Breakdown

6 vulnerabilities exploited sequentially, from webpage visit to full device takeover

WebKit Renderer ExploitZero-Day

Malicious JavaScript triggers a heap overflow bug in the Safari browser engine through a crafted webpage.

Browser Sandbox Escape

A sandbox vulnerability allows the exploit to break free from the browser's isolation environment.

Kernel Privilege EscalationZero-Day

A zero-day kernel flaw grants the attacker root-level access to the entire iOS operating system.

Code Signing Bypass

Circumvents Apple's code verification to load and execute unsigned spyware payloads.

Persistent InstallationZero-Day

The spyware writes itself into the system partition, surviving device reboots.

Full Device Takeover

Complete access to messages, camera, microphone, location, photos, and all device data.

Is Your Device Affected?

DarkSword affects devices running iOS versions 18.4 through 18.6.2, covering all iPhone models supporting iOS 18. Check your iOS version by going to:

Settings > General > About > Software Version

VULNERABLE

iOS 18.4 - 18.6.2

SAFE

iOS 18.6.3+ (patched)

Apple's Emergency Response

Apple released an emergency patch on March 11, 2026 for older iOS versions, even before the exploit kit was publicly leaked. This indicates Apple was aware of the vulnerabilities through internal reports or security research disclosures.

Apple also confirmed that Lockdown Mode can block the DarkSword exploit chain by disabling the advanced web features that the toolkit requires to initiate its attack. However, not all users have this feature enabled as it significantly restricts normal device functionality.

▸ If you haven't updated iOS since before March 11, your device has been in a vulnerable state for the past 2 weeks

DarkSword vs. Pegasus: Historical Context

Historical comparison between DarkSword and Pegasus spyware

Photo: Wikimedia Commons

	DarkSword	Pegasus
Target	iOS 18.4 - 18.6.2	iOS / Android
Exploits	6 (3 zero-day)	3+ zero-day
Attack vector	JavaScript (web visit)	iMessage (zero-click)
Accessibility	Publicly leaked, free	Sold to governments, millions USD
Affected devices	~221 million	Tens of thousands (targeted)
Status	Leaked March 2026	Exposed 2021

The critical difference between DarkSword and Pegasus lies in accessibility. NSO Group's Pegasus was sold exclusively to governments for millions per license, limiting victims to tens of thousands. DarkSword, after being freely and publicly leaked on GitHub, opens the door to unprecedented mass exploitation with 221 million devices in the vulnerable range.

What You Should Do Right Now

Update iOS immediately

Go to Settings > General > Software Update and install the latest available version. Apple's emergency patch addresses all 6 vulnerabilities.

Enable Lockdown Mode

Go to Settings > Privacy & Security > Lockdown Mode. It restricts functionality but blocks the DarkSword exploit chain.

Review your browsing history

If you visited unfamiliar websites or received suspicious links recently, consider backing up important data and performing a factory reset.

Do not open links from unknown sources

Avoid clicking links sent via messages, email, or social media from senders you cannot verify.

▸ An iOS update takes about 15-20 minutes but could protect all your personal data, photos, messages, and financial information on your device

Apple 2026: News and Events Hub Secure Password Generator

References

Frequently Asked Questions

By Hoa Dinh · Founder & Senior Tech Editor

Published: March 25, 2026 · Updated: April 3, 2026

Explore ZestLab Tools

JSON Formatter Base64 Encoder Markdown Preview

technology·DarkSword exploit · iPhone hack 2026 · iOS zero-day · iPhone security vulnerability