A single visit to a website can hack hundreds of millions of iPhones.
A new tool for hacking iPhones has come out just weeks after Google found one. Researchers from Google, iVerify, and Lookout have uncovered DarkSword, a technique that allows attackers to compromise iOS devices simply by visiting a website. Experts claim this tool has already been used in espionage campaigns and could affect hundreds of millions of users.
According to multiple publications by researchers, DarkSword is a security vulnerability that functions as a watering hole attack, a technique in which hackers infect legitimate websites to compromise victims' devices. In this case, any vulnerable iPhone only needs to load the page for the attacker to gain access to the phone.
Unlike traditional spyware, DarkSword does not install any files on the device. The tool uses fileless malware techniques, including hijacking operating system processes to steal data.
"Instead of using a spyware payload to force its way through the file system, this simply uses system processes the way they were designed to be used," explained Rocky Cole, co-founder of iVerify.
The DarkSword malware exploits six different security vulnerabilities across two separate attack chains, ranging from the WebKit rendering engine to the iOS kernel. According to security engineers, the malware operates within minutes, extracting as much data as possible, and disappears upon a device reboot. Because it doesn't install any files, it leaves minimal traces, making it difficult to detect.
Once a user visits a compromised website, hackers can steal a massive amount of data, including text messages, call logs, Wi-Fi passwords, browsing history, and cryptocurrency wallet information. They will also be able to access iMessage, WhatsApp, and Telegram app logs; calendar and notes data; and Apple Health app information.
According to Google's Threat Intelligence Group, the DarkSword malware has been used since at least November 2025 by multiple actors, including spyware vendors and state-sponsored espionage groups. Active campaigns targeting Saudi Arabia, Turkey, Malaysia, and Ukraine have been observed.
The most well-documented case involves the Russian spy group UNC6353, which used the Corona tool against Ukrainian websites, including a government server. In the cases of Turkey and Malaysia, Google detected DarkSword's use by clients of Pars Defense, a Turkish security and surveillance company.
The good news is that Apple has already fixed all the security vulnerabilities with the release of iOS 26. The tech giant has also released emergency updates for older models that cannot run the latest version of the operating system.