Google declined to comment beyond its ongoing blog post about its DarkSword findings. WIRED also contacted PARS Defense through its X account but did not immediately receive a response.
According to Lookout, DarkSword is designed to steal data from vulnerable iPhones including passwords and photos; Log in from iMessage, WhatsApp and Telegram; browser history; Calendar and Notes data; And even data from Apple’s Health app. Despite the apparent espionage focus of the hacking campaign, Darksword also stole users’ cryptocurrency wallet credentials, suggesting that the hackers may have had a potential side business in cybercrime for profit.
Instead of installing existing spyware on users’ phones, DarkSword uses stealth techniques often seen in “fileless” malware that typically target Windows devices, hijacking legitimate processes in the iPhone’s operating system to steal data. “Instead of using a spyware payload to brute-force its way through the file system – which leaves a lot of exploit artifacts that are much easier to detect – it uses system processes the way they should be used,” says iVerify’s Cole. “And it leaves very little trace.”
Cole says that the fileless technology also means that the DarkSword infection no longer remains on the phone after a reboot. Instead, it steals data from the phone within the first few minutes after it’s hacked – what it calls a “smash-and-grab” approach.
While the Koruna iOS hacking toolkit revealed earlier this month works against iOS versions 13 to 17, DarkSword works against most versions of iOS 18, which was the previous version of Apple’s mobile operating system before the company last released iOS 26. (In fact, DarkSword consists of two separate exploit “chains” that take advantage of different vulnerabilities in versions before and after iOS 18, depending on which target device it’s running.) This means many more phones are at risk to DarkSword than Corona, especially given the relatively slow adoption and unpopularity of iOS 26, which was criticized for its new features like the “Liquid Glass” interface. It has been criticized for its visual effects, with some users complaining that it is overly animated and reduces legibility.
<a href