Apple iOS vulnerability chain exposes new attack pathway, researchers say

A newly identified set of iOS vulnerabilities is at the centre of a sophisticated attack method known as “DarkSword,” according to a new research by Google’s Threat Intelligence Group, along with cybersecurity firms Lookout and iVerify. Their findings show how multiple flaws in Apple’s mobile operating system can be linked together to quietly break through the iPhone’s security layers.

While this attack potentially affects iOS 18 version users, an extremely large pool, the research points out that it was actively used against iPhone users in four countries: Saudi Arabia, Turkey, Turkey, Malaysia and Ukraine.

At its core, DarkSword is what researchers describe as an exploit chain. In simple terms, that means attackers don’t rely on a single bug but instead combine several weaknesses, using one to unlock the next, until they gain deeper access to the device. This layered approach is what makes the technique both powerful and difficult to detect.

The research points to the use of previously unknown vulnerabilities, often called zero-days, which are security flaws that developers have not yet fixed because they are not publicly known. By chaining these together, attackers are able to move from limited access to full control of the system, including sensitive parts of the operating system that are normally locked down.

A watering hole attack

What stands out in this case is how the attack is delivered. Instead of requiring users to install malicious apps, the DarkSword chain can be triggered through compromised websites. Visiting one of these pages is enough to start the process in the background, with no obvious warning to the user. This method, sometimes referred to as a watering hole attack, works by infecting sites that targets are likely to visit.

Once the chain is successfully executed, the attackers can run what is essentially spyware. This allows them to extract data from the device, monitor activity, and access private information. In some cases, the malicious code does not remain on the phone after a reboot, which makes forensic analysis and detection much harder.

The report suggests that tools like DarkSword are no longer confined to highly targeted espionage operations. While such exploit chains were once associated mainly with government-backed actors, researchers are now seeing signs that similar capabilities are spreading more widely. This raises concerns about how quickly advanced techniques can move beyond niche use and into broader circulation.

Lower barriers to attack

Another notable aspect of the research is the indication that parts of the exploit framework may have been exposed online. If confirmed, that could lower the barrier for other groups to replicate or adapt the method, accelerating its use across different campaigns.

The findings underline a broader shift in mobile security. As smartphone defences have improved, attackers have responded by building more complex, multi-step intrusion methods. Each individual flaw might seem minor on its own, but when combined, they can undermine even tightly controlled systems.

Researchers say the vulnerabilities used in the DarkSword chain have since been addressed in newer iOS updates. Apple’s recent iOS 26.3.1 was released earlier this month. For users who cannot immediately update their devices, the researchers suggest enabling “Lockdown Mode,” which is a hardened security feature designed to reduce the attack surface by limiting certain functionalities that attackers often exploit. Even so, the episode highlights how critical timely updates remain, especially as attack techniques continue to evolve in both scale and sophistication.