The public release on the GitHub platform of the code of the powerful hacking tool DarkSword moves the discussion of iOS security from the realm of niche threats into the mainstream of business risk. What was previously a precision instrument in the hands of sophisticated hacking groups has become a publicly available set of instructions, forcing IT departments to revise their mobile device management policies.
DarkSword is not a single virus, but a complete zero-day exploit chain that Google Threat Intelligence Group has been tracking since November 2025. Its effectiveness is based on infecting devices running iOS 18.4 to 18.7. Although Apple has already released patches for version 26.3, the problem remains the ‘long tail’ of older devices and the speed at which the code spreads through the cybercrime ecosystem.
In the hybrid working model, the phone is the digital key to company resources. The use of DarkSword allows the installation of malware families, such as GHOSTBLADE or GHOSTSABER, which go beyond simple SMS theft. Experts, including Steve Cobb of SecurityScorecard, point to a critical aspect of this threat: an infected phone becomes a beachhead for attacks on SaaS platforms, cloud environments and corporate authentication systems. An attacker no longer needs to breach corporate firewalls if they have access tokens stolen from an employee’s mobile device.
This is exacerbated by the fact that DarkSword is the second such advanced leak in a short space of time, after the Coruna incident in March. This suggests a worrying professionalisation of the black market for spyware, where state-grade tools are becoming a common commodity. As AttackIQ’s Pete Luban notes, we are seeing a dangerous fusion of espionage with pure monetisation – the same data that serves intelligence in the morning can be used for financial theft in the evening.
