Google declined to comment beyond the blog post it released about its DarkSword findings. WIRED also reached out to PARS Defense via its X account but didn’t immediately receive a response.
According to Lookout, DarkSword is designed to steal data from vulnerable iPhones that include passwords and photos; logs from iMessage, WhatsApp, and Telegram; browser history; Calendar and Notes data; and even data from Apple’s Health app. Despite the apparent espionage focus of the hacking campaign, DarkSword also steals users’ cryptocurrency wallet credentials, suggesting the hackers may have carried out a possible side business in for-profit cybercrime.
Rather than install spyware that persists on users’ phones, DarkSword uses stealthier techniques that are more often seen in “fileless” malware that typically target Windows devices, hijacking the legitimate processes in an iPhone’s operating system to steal data. “Instead of using a spyware payload to brute force your way through the file system—which leaves tons of artifacts of exploitation that are pretty easy to detect—this just uses system processes the way they’re meant to be used,” iVerify’s Cole says. “And it leaves far fewer traces.”
That fileless technique also means that a DarkSword infection doesn’t persist on a phone after it reboots, Cole says. Instead, it steals data from the phone within the first few minutes after it’s hacked—what he calls a “smash-and-grab” approach.
While the Coruna iOS hacking toolkit exposed earlier this month works against iOS versions 13 through 17, DarkSword works against most versions of iOS 18, the previous version of Apple’s mobile operating system before the company released iOS 26 last fall. (In fact, DarkSword contains two distinct exploit “chains” that take advantage of different vulnerabilities in earlier and later versions of iOS 18, depending on which one a target device is running.) That means many more phones remain at risk to DarkSword than Coruna, especially given the relatively slow adoption and unpopularity of iOS 26, which has been criticized for new features such as a “liquid glass” interface some users have complained is overly animated and reduces legibility.