Google's Threat Intelligence Group (GTIG) has published a report that unveils a sophisticated, full-chain iOS exploit tool known as DarkSword. Since November 2025, this tool has been actively utilized by several commercial spyware developers as well as suspected state-sponsored hacking groups. These malicious actors have executed watering hole attacks by compromising legitimate websites, leveraging six distinct security vulnerabilities to orchestrate a comprehensive intrusion process. This process spans from remote code execution within Safari to escalating privileges within the kernel. DarkSword is compatible with iOS versions 18.4 through 18.7 and is equipped with three distinct families of malicious payloads, each varying in capability. These payloads facilitate the theft of all sensitive data stored on the device and enable remote control over it. As of March 2026, it has been verified that at least three threat groups, each with differing backgrounds, have employed DarkSword in attack campaigns across various global regions. This has impacted approximately 14.2% of iPhone users worldwide, equating to roughly 221.52 million devices. If the scope is broadened to encompass unpatched versions across the entire iOS 18 series, the proportion of potentially affected users escalates to 17.3%, corresponding to an estimated 270 million devices. Apple has comprehensively addressed these vulnerabilities in iOS version 26.3.