Google declined to comment beyond a blog post on the DarkSword findings. WIRED also reached out to PARS Defense through the X account, but did not immediately receive a response.
According to Lookout, DarkSword is designed to steal data from vulnerable iPhones, including passwords and photos; notes from iMessage, WhatsApp and Telegram; browser history; Calendar and Notes information; and even data from Apple’s Health app. Despite the apparent espionage focus of the hack campaign, DarkSword also steals users’ cryptocurrency wallet credentials, suggesting the hackers may have run a possible side business in commercial cybercrime.
Instead of installing persistent spyware on users’ phones, DarkSword uses stealth techniques more commonly found in “fileless” malware that typically target Windows devices by hijacking legitimate processes on the iPhone’s operating system to steal data. “Instead of using a spyware payload to brute force your way through the file system — which leaves tons of exploit artifacts that are pretty easy to detect — it just uses system processes the way they’re supposed to be used,” says iVerify’s Cole. “And it leaves less of a mark.”
This fileless technique also means that the DarkSword infection doesn’t persist after the phone is restarted, Cole says. Instead, it steals data from the phone in the first few minutes after it’s cracked — what he calls a “smash-and-grab” approach.
While the Coruna iOS hacking toolkit exposed earlier this month works against iOS 13 through 17, DarkSword works with most versions of iOS 18, the previous version of Apple’s mobile operating system before the company released iOS 26 last fall. (In fact, DarkSword contains two different exploit “chains” that exploit different vulnerabilities in versions before and after iOS 18, depending on which one the target device is running). criticized for new features Like the “liquid glass” interface that some users complain about it is over-animated and reduces readability.
