Google declined to offer any additional comment beyond the blog post it published on its DarkSword findings. WIRED also tried to contact PARS Defense via its X account but did not receive an immediate response.
Lookout says DarkSword is built to exfiltrate information from vulnerable iPhones, including passwords and photos; message logs from iMessage, WhatsApp, and Telegram; browser history; Calendar and Notes entries; and even data from Apple’s Health app. Although the campaign appears to be espionage-focused, DarkSword also harvests cryptocurrency wallet credentials, indicating the operators may have pursued a for-profit cybercrime angle as well.
Rather than installing persistent spyware on victims’ phones, DarkSword employs subtler methods more commonly associated with “fileless” malware on Windows, hijacking legitimate iOS system processes to extract data. “Instead of using a spyware payload to brute force your way through the file system—which leaves tons of artifacts of exploitation that are pretty easy to detect—this just uses system processes the way they’re meant to be used,” iVerify’s Cole says. “And it leaves far fewer traces.”
Cole adds that because of this fileless approach, a DarkSword compromise doesn’t survive a reboot. Instead it grabs data from the device within minutes of the intrusion—a “smash-and-grab” tactic, he says.
While the Coruna iOS hacking toolkit revealed earlier this month targets iOS versions 13 through 17, DarkSword is effective against most builds of iOS 18, the release that preceded last fall’s iOS 26. (DarkSword actually contains two separate exploit “chains” that leverage different vulnerabilities in early and late iOS 18 builds, depending on which one the target device is running.) That means far more phones are vulnerable to DarkSword than to Coruna, particularly given the relatively slow uptake and unpopularity of iOS 26, which has been criticized for new features such as a “liquid glass” interface some users say is overly animated and reduces legibility.
