DarkSword iOS Toolkit Now Public on GitHub Lowering Barrier for Potential iPhone Exploit

Last week, researchers at Cybersecurity have warned that there is a growing threat targeting older iPhone models. A more advanced version of the DarkSword hacking toolkit was leaked online, and this threat — which has been associated with targeted attacks — appears to have escalated. Now it is on public code-sharing platforms such as GitHub, which could make much more effective for threat actors to exploit vulnerabilities in older Apple devices.

DarkSword Code Published on GitHub

iVerify researchers said the new version of DarkSword has been uploaded to GitHub, so it is easier to access and deploy. Several iPhone and iPad models with older versions of iOS, including iOS 18 18, are said to be targeted by the spyware. During the time of publishing this story, was still available on the platform.

In a conversation with TechCrunch, Matthias Frielingsdorf, co-founder of iVerify, said “The newer versions of DarkSword have the same infrastructure as the original exploit.” A security company that first discovered the hacking campaign was iVerify, along with lookout and Google Threat Intelligence Group (GTIG), one of the companies that found it.

This code reportedly contains relatively simple HTML and JavaScript files, which can be hosted on a server in minutes. In this way, it could allow attackers to create malicious webpages designed to compromise vulnerable devices.

Another security researcher reportedly claimed to have used the public version of the exploit to compromise an iPad mini running iOS 18 and had also been using it. This indicates that it may have been executed by a threat actor, but could not be done without technical expertise.

It knows what the exploit is doing to devices running older and more outdated operating systems, Apple said. The company released an emergency update to address vulnerabilities on devices that cannot be upgraded to the latest iOS versions, a statement said. Similarly, Lockdown Mode enabled devices are also protected from these specific attacks (even on out-of date software), according to the iPhone maker.

But despite this, the tech giant reiterated that such devices should also be updated to the latest iOS version as soon as possible.

What is DarkSword Spyware?

The DarkSword spyware is an iOS full-chain exploit that used multiple zero-day (undiscovered) vulnerabilities to completely compromise devices. A number of bugs are grouped together to move from a web page to full control of the phone, which is now available as ‘toolkit’ on code-sharing platforms.

Security researchers say DarkSword is designed to extract sensitive data from hacked devices. In the iOS Keychain, it can access contacts, messages, call history and data stored in contact (including passwords and other credentials) and send this information to attacker-controlled servers.

The leaked source code describes how the exploit is operated in detail, including specific instructions for removing data from the internet through comments within the hacker’s “report” (along with its own information) and other details. In some cases, the code is said to refer to post-exploitation activities, describing how data can be collected and remotely transmitted after a device has been hacked.