New Cyberattack Silently Compromises iPhones Through a Simple Website Visit
Cupertino, Wednesday, 18 March 2026.
Russian hackers are utilizing a newly discovered technique, DarkSword, to completely compromise iPhones and steal sensitive data—including cryptocurrency—the moment a user visits an infected website.
The Mechanics of a “Zero-Click” Menace
DarkSword operates primarily through “watering hole” attacks, a sophisticated technique where threat actors compromise legitimate websites to trap unsuspecting visitors [2][5]. In this campaign, hackers embedded malicious scripts into the page architecture of compromised Ukrainian domains, such as novosti[.]dn[.]ua [4][5]. When a user running vulnerable versions of Apple Inc.’s (AAPL) iOS—specifically versions 18.4 through 18.7—visits these pages, the exploit executes automatically without requiring any user interaction [2][4][6]. The attack framework relies entirely on pure JavaScript, utilizing a complex chain of six distinct vulnerabilities, including flaws in Safari’s JavaScriptCore and kernel-level memory management issues, to bypass Apple’s stringent Page Protection Layer [2][4][6].
State-Sponsored Espionage Meets Financial Crime
The deployment of DarkSword represents a troubling convergence of state-sponsored espionage and financially motivated cybercrime [3][5]. Google’s Threat Intelligence Group attributes a significant portion of the DarkSword campaigns to UNC6353, a well-funded Advanced Persistent Threat (APT) group aligned with Russian intelligence [GPT][2][3][5]. This group previously utilized a similar exploit toolkit known as Coruna, which was discovered earlier in March 2026 [1][2][5]. However, the DarkSword infrastructure, hosted on the same command and control servers as Coruna, has notably expanded its focus to include aggressive financial theft alongside traditional espionage [3].
Assessing the Scale of the Threat
The scale of the vulnerability is staggering, affecting a massive swath of the global smartphone market. Cybersecurity firm iVerify estimates that up to 270 million iPhone users could be susceptible to the DarkSword exploit [3]. Meanwhile, internal data from other security analyses suggests the impact is closer to roughly 221,520,000 devices running the highly vulnerable iOS versions between 18.4 and 18.6.2 [4], representing a variance of 21.885 percent between the two security firms’ maximum exposure models. While adoption rates for newer operating systems fluctuate, data from February 2026 indicates that approximately 25% of active iPhones were still running iOS 18 [1]. Rocky Cole, co-founder and CEO of iVerify, warned that users of older Apple devices or those who have delayed software updates remain severely exposed to having their personal data stolen simply by browsing popular websites [1].
Securing the Mobile Enterprise
In response to the escalating threat, Apple Inc. (AAPL) has aggressively patched the underlying vulnerabilities. The tech giant addressed the critical flaws utilized by DarkSword in security updates rolled out in iOS 26.1, 26.2, and 26.3, and released emergency security updates on March 12, 2026, for older devices unable to support the iOS 26 ecosystem [1][2][4]. An Apple spokesperson reiterated that maintaining up-to-date software remains the single most important defense mechanism for users to ensure the security of their devices [1].