A sophisticated new cyberattack campaign is raising global concern as it targets hundreds of millions of iPhone users worldwide. The spyware tool, known as DarkSword, is capable of stealing sensitive data with just a single click.

The tool was discovered by Google Threat Intelligence Group in collaboration with cybersecurity firms Lookout and iVerify. It can infiltrate devices simply when users visit a malicious website, without requiring any download or installation.

According to investigative reports, DarkSword exploits multiple vulnerabilities in devices running iOS 18, specifically versions 18.4 to 18.7. Apple data suggests that about 25 percent of current iPhones are still operating on these versions, meaning hundreds of millions of devices globally could be exposed.

The most alarming feature of DarkSword lies in its “no-install” mechanism. Unlike traditional malware, it does not require users to download files or grant permissions. Simply accessing a compromised website can immediately lead to a breach.

Once inside, the spyware quickly collects personal and financial data. However, instead of maintaining long-term surveillance like typical spyware, DarkSword operates on a rapid “hit-and-run” basis. According to Lookout, it remains on the device for only a few minutes, just long enough to extract and transmit data before erasing itself.

This behavior makes detection extremely difficult. In many cases, simply restarting the device removes nearly all traces, leaving users unaware that their iPhone was ever compromised.

The scope of data collection is extensive. DarkSword can access call logs, contacts, calendars, notes, photos, screenshots, location data, browsing history and login credentials.

More critically, it can also extract iCloud content, Wi-Fi passwords, SIM information, Find My iPhone settings and data from messaging platforms such as iMessage, email, WhatsApp and Telegram. Cryptocurrency wallet information is also a key target for attackers.

Security experts say DarkSword has already been used in real-world attacks. One of the earliest recorded incidents occurred in November last year, when users in Saudi Arabia were targeted through a fake Snapchat website called “Snapshare.” The site redirected users to the legitimate Snapchat page while secretly exploiting their devices.

More recently, a hacking group linked to the Russian government, identified as UNC6353, used DarkSword to target iPhone users in Ukraine. The group reportedly compromised legitimate news websites and government portals to distribute the malware, making the attacks significantly harder to detect.

Experts believe this group may also be behind a similar earlier tool known as Coruna, which targeted iOS versions 13 through 17.

One particularly concerning aspect of DarkSword is that its code appears to be left behind without careful concealment, suggesting it could be reused or modified by other groups. According to Google Threat Intelligence Group, this indicates attackers are confident in their ability to quickly develop new tools once vulnerabilities are patched.

In this context, users are advised to regularly update their operating systems, avoid suspicious links and remain vigilant when browsing the web. As cyberattacks become increasingly sophisticated and invisible, even a single click can open the door to serious security and financial risks.

Hai Phong