Gardaí Warn Apple Users to Update Devices Immediately as DarkSword Malware Targets iPhones
Gardaí warn iPhone users to update immediately as DarkSword malware can silently steal personal data from unpatched devices.
A new virus has arrived which targets the system that powers Apple devices. Here’s what you need to know 👇
— Garda Info (@gardainfo) March 23, 2026
Victims of the malware should consult a competent cyber security professional and report the crime to their local Garda Station.#KeepingPeopleSafe pic.twitter.com/DEbcyFrlro
An Garda Síochána has issued an urgent warning to Apple users following the discovery of a sophisticated new malware threat targeting iPhones. The vulnerability, known as DarkSword, exploits weaknesses in Apple's iOS operating system and can silently steal personal data without the user's knowledge.
According to Gardaí, devices can be infected through compromised websites or infected links that inject malware and bypass the standard protections on the phone. Users do not receive any notification that their device has been compromised, as the malware works silently in the background with no effect on the phone's operation.
The malware primarily targets Apple devices running iOS versions 18.4 to 18.7 and allows attackers to access content, messages, contacts and credentials stored on the phone.
What is DarkSword?
DarkSword is a full exploit chain written entirely in JavaScript that was publicly disclosed on 18 March 2026 in a joint report by Google's Threat Intelligence Group (GTIG), cybersecurity firm Lookout, and mobile security company iVerify. The toolkit chains six separate vulnerabilities, including three zero-days, to achieve what researchers describe as a complete device takeover.
The exploit has been active since at least November 2025 and has been used by multiple threat actors, including commercial surveillance vendors and suspected state-backed groups. Campaigns have been observed targeting users in Ukraine, Saudi Arabia, Turkey and Malaysia, with a suspected Russian espionage group known as UNC6353 among those deploying the toolkit.
How does it work?
The attack begins when a user visits a compromised or malicious website using Safari. Simply loading the page is enough to trigger the exploit; no download or additional interaction is required. Researchers describe this as a "drive-by" attack.
Once triggered, DarkSword breaks out of Safari's security sandbox, escalates its privileges through the operating system and gains access to the device's core systems. The entire process takes just seconds to minutes before the malware collects sensitive data, sends it to a remote server and then deletes itself from the device, leaving little trace of its presence.
What can it steal?
The scope of data theft is extensive. According to the joint research, DarkSword can access emails, iCloud Drive files, contacts, SMS messages, Safari browsing history and cookies, usernames and passwords, photos, call history, Wi-Fi passwords, location data, calendar entries, health data, notes and message histories from apps including Telegram and WhatsApp.
The malware also specifically targets cryptocurrency wallet and exchange apps, including Coinbase, Binance, Kraken and Ledger, indicating that financially motivated attackers are among those using the toolkit.
Over 220 million devices potentially at risk
According to iVerify's analysis, approximately 14.2% of iPhone users, representing around 221 million devices running iOS versions between 18.4 and 18.6.2, are believed to be vulnerable. The true number could be higher when older iOS versions are taken into account. When combined with the related Coruna exploit kit disclosed two weeks earlier, the affected pool may run into hundreds of millions of unpatched devices worldwide.
How to protect your device
Apple has released patches to address all six vulnerabilities exploited by DarkSword. Gardaí advise users to update their devices to iOS 26.3.1 or iOS 18.7.6 to fully protect their phones. Users should go to Settings, then General, then Software Update to check for and install the latest version available.
Apple has also released security updates for iOS 15 and iOS 16 to extend protections to users with older iPhone models. Devices running iOS 13 or iOS 14 must be updated to at least iOS 15 to receive these protections.
Enabling Lockdown Mode in device settings will provide stronger protection, though Gardaí note this may limit some functionality. To enable Lockdown Mode, go to Settings, then Privacy & Security, scroll down and tap Lockdown Mode, then follow the on-screen instructions.
Anyone who believes they may have been affected by the malware should consult a competent cyber security professional and report the crime to their local Garda Station.
What are CISA and international agencies saying?
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added three of the six DarkSword vulnerabilities to its Known Exploited Vulnerabilities catalogue on 20 March 2026, ordering all federal agencies to apply Apple's security updates by 3 April 2026. CISA urged private organisations and individual users to prioritise the same updates immediately.
As of today, Ireland's National Cyber Security Centre (NCSC) has not published a specific advisory on DarkSword.
For more information on keeping your devices secure, visit apple.com/privacy.