Google Discovers DarkSword Exploit Chain Targeting Older iPhones with Zero-Day Vulnerabilities

Google Discovers DarkSword Exploit Chain Targeting Older iPhones with Zero-Day Vulnerabilities

Google's security research team has disclosed a sophisticated exploit chain dubbed DarkSword that targets older iPhone models running outdated versions of iOS. The discovery comes just weeks after Google revealed the Coruna exploit chain, suggesting an active and well-resourced threat actor is systematically targeting Apple device users who have not updated to the latest software.

What Happened

Google's Threat Analysis Group (TAG) published details on March 19, 2026, about a previously unknown exploit chain they have designated DarkSword. The attack targets iPhones running iOS versions prior to the most recent security updates, exploiting a sequence of vulnerabilities that together allow an attacker to gain complete control of the targeted device, including access to encrypted messages, photos, location data, and microphone and camera feeds.

Office 2024 Pro Plus

Word, Excel, PowerPoint + more. 3 Devices.

$29

Buy Now →

Windows 11 Pro

Professional Edition. 3 Devices.

$29

Buy Now →

Office 365 Lifetime

5 Devices. Lifetime Account.

$29

Buy Now →

Visio 2024 Pro

Professional Diagramming. 3 Devices.

$29

Buy Now →

Project 2024 Pro

Project Management. 3 Devices.

$29

Buy Now →

Win 11 + Office Bundle

Win 11 Pro + Office + Visio + Project

$49.99

Buy Now →

DarkSword operates through a multi-stage attack process. The initial infection vector appears to be malicious websites that deliver the exploit payload when visited by a vulnerable device, a technique known as a "watering hole" attack. Once the exploit chain executes successfully, it installs persistent surveillance software that can survive device reboots and operates silently without visible indicators to the user.

Google's researchers believe DarkSword is related to the Coruna exploit chain disclosed earlier this month, based on similarities in code structure, infrastructure, and targeting patterns. Both exploit chains appear to have been developed by the same threat actor, though Google has not publicly attributed the attacks to any specific group or nation-state. The sophistication of the exploits suggests a well-funded operation with significant technical resources.

Apple has been notified of the vulnerabilities and has reportedly already patched the specific flaws exploited by DarkSword in its latest iOS updates. However, the concern centers on the millions of iPhone users worldwide who continue to run older iOS versions, either because their devices are no longer supported or because they have not applied available updates.

Background and Context

The discovery of DarkSword represents the latest chapter in the ongoing cat-and-mouse game between security researchers and exploit developers. iOS exploit chains, which combine multiple vulnerabilities to achieve complete device compromise, are among the most valuable and sought-after capabilities in the cybersecurity landscape. On the commercial exploit market, a full iOS zero-day chain can command prices exceeding $2 million, reflecting both the difficulty of finding these vulnerabilities and the value of the access they provide.

Google's TAG has been one of the most prolific discoverers and disclosers of iOS vulnerabilities, a dynamic that reflects both the group's technical capabilities and the broader competitive relationship between Google and Apple. While some observers have questioned the optics of Google publicly disclosing Apple security flaws, the security community broadly supports responsible disclosure practices that ultimately protect users regardless of which company's products are affected.

The targeting of older iOS versions is a deliberate strategy by attackers. While Apple maintains a strong track record of patching known vulnerabilities quickly, a significant percentage of the global iPhone user base runs outdated software. This is particularly true in developing markets where older iPhone models remain in active use long after they have stopped receiving security updates, creating a permanent population of vulnerable devices.

For organizations that manage their cybersecurity alongside their productivity tools, including those using an affordable Microsoft Office licence for business operations, the DarkSword disclosure underscores the importance of maintaining comprehensive device management and update policies across all platforms.

Why This Matters

DarkSword matters because it demonstrates that sophisticated threat actors are systematically investing in exploit development targeting the hundreds of millions of iPhones running outdated software. While security-conscious users who keep their devices updated are protected, the reality is that a substantial portion of the iPhone installed base remains vulnerable, and the attackers know this.

The discovery of two related exploit chains (Coruna and DarkSword) in quick succession suggests this is not an isolated effort but an ongoing campaign by a well-resourced adversary. The investment required to develop multiple iOS exploit chains simultaneously, including discovering the underlying zero-day vulnerabilities, engineering reliable exploits, building command-and-control infrastructure, and deploying surveillance payloads, indicates a state-sponsored or state-adjacent operation with substantial funding and technical talent.

For the broader mobile security landscape, these discoveries challenge the perception that iPhone users are inherently safer than users of other platforms. While iOS's security architecture is robust and Apple's patch response is generally swift, the security of any device ultimately depends on users applying available updates. The gap between available patches and installed updates represents the window of vulnerability that DarkSword and similar exploit chains are designed to exploit.

Industry Impact

The mobile device management (MDM) industry will see renewed interest from enterprise customers in the wake of the DarkSword disclosure. Organizations that allow employees to use personal iPhones for work purposes, a common arrangement under bring-your-own-device (BYOD) policies, face increased risk if those devices are running outdated iOS versions. MDM solutions that can enforce minimum OS version requirements and automate update deployment are likely to see increased demand.

The commercial spyware industry, which has faced increasing scrutiny and sanctions in recent years, will be further pressured by these disclosures. While Google has not directly attributed DarkSword to any commercial surveillance vendor, the operational characteristics of the exploit chain are consistent with the tools offered by companies in this sector. Governments and regulators may use these findings to justify additional restrictions on the sale and export of offensive cyber capabilities.

Apple's security reputation, while still strong, faces incremental erosion with each high-profile exploit disclosure. The company may respond with additional security hardening measures in future iOS releases, potentially including more aggressive update prompts and reduced functionality on devices running significantly outdated software. Enterprise IT teams running mixed device environments with genuine Windows 11 key workstations and mobile devices need to ensure consistent security policies across all platforms.

For the cybersecurity industry as a whole, the DarkSword and Coruna discoveries reinforce the importance of continued investment in vulnerability research and responsible disclosure programs. The fact that Google's TAG identified these exploit chains before they were widely deployed demonstrates the value of proactive security research in protecting users from sophisticated threats.

Expert Perspective

Mobile security researchers have described DarkSword as technically impressive, noting that the exploit chain successfully bypasses multiple layers of iOS security including Address Space Layout Randomization (ASLR), Pointer Authentication Codes (PAC), and the kernel's page protection mechanisms. Achieving reliable code execution through this many defensive layers requires deep understanding of iOS internals and significant engineering effort.

Threat intelligence analysts point to the targeting pattern as particularly revealing. Both Coruna and DarkSword appear focused on specific demographic and geographic profiles, suggesting targeted surveillance operations rather than broad criminal campaigns. This targeting pattern is consistent with nation-state intelligence operations, where the goal is to monitor specific individuals or groups rather than to compromise devices at scale for financial gain.

Privacy advocates have renewed calls for Apple to extend security update support for older devices, arguing that millions of users in lower-income countries rely on devices that no longer receive patches and are disproportionately vulnerable to attacks like DarkSword. While the cost of supporting legacy hardware indefinitely is significant, the humanitarian implications of leaving large populations permanently exposed to state-sponsored surveillance merit serious consideration.

What This Means for Businesses

Organizations should immediately audit their mobile device fleet to identify any iPhones running iOS versions vulnerable to DarkSword. Devices that cannot be updated to a supported iOS version should be evaluated for replacement, particularly if they have access to sensitive corporate data or communications. BYOD policies should be reviewed to ensure minimum OS version requirements are clearly defined and enforced.

Companies operating in sectors that are common targets for state-sponsored surveillance, including defense, energy, finance, journalism, and human rights, should treat the DarkSword disclosure as a specific threat indicator and conduct targeted threat assessments. Businesses using enterprise productivity software should ensure their security policies extend to all connected devices, not just traditional endpoints.

Key Takeaways

• Google discovered DarkSword, a sophisticated exploit chain targeting older iPhones
• Related to the previously disclosed Coruna exploit chain, suggesting an ongoing campaign
• Exploit achieves full device compromise including access to messages, photos, and sensors
• Affects iPhones running outdated iOS versions; latest updates include patches
• Sophistication suggests state-sponsored or state-adjacent threat actor
• Millions of iPhones worldwide running unsupported iOS remain permanently vulnerable
• Enterprise organizations should audit mobile device iOS versions immediately

Looking Ahead

The discovery of two related iOS exploit chains in rapid succession suggests more may be forthcoming as Google and other security researchers continue to analyze the threat actor's infrastructure and techniques. Apple is likely to respond with additional security measures in upcoming iOS releases, and the broader security community will be watching for signs of similar campaigns targeting other mobile platforms. The arms race between exploit developers and platform security teams shows no signs of abating.