-
Security researchers found a new iOS exploit kit, DarkSword, that harvests the personal credentials and cryptocurrency wallet details of iPhone users.
-
The exploit preys on devices running iOS 18.4 through 18.7 and traces back to multiple bad groups, including a suspected Russian gang.
-
Apple patched every vulnerability within its latest iOS releases, however, older devices are still at risk.
Mobile security firm, Lookout, found an exploit kit that compromises iOS devices with surgical accuracy. The threat’s name is DarkSword.
Lookout stumbled upon DarkSord while tracking the infrastructure behind the Coruna attacks disclosed earlier this month.
Google’s Threat Intelligence Group and iVerify joined the investigation. In one accord, they fished out a threat that had been up and running secretly since last November.
Multiple Threat Actors Deploy Three Malware Families
Google Threat Intelligence Group confirms that DarkSword has been active since at least November 2025. Several cybercriminal groups deployed it to install three distinct malware families on compromised iPhones.
GHOSTBLADE leads the pack as a JavaScript dataminer. This malware scrapes everything it can find—crypto wallet data, system information, browser history, photos, location records, and communication data from WhatsApp, Telegram, iMessage, calls, email, as well as contacts.
GHOSTKNIFE operates as a backdoor. It exfiltrates signed-in accounts, messages, browser data, location history, and recordings. GHOSTSABER, another JavaScript backdoor, enumerates devices and accounts, lists files, executes JavaScript code, and steals data.
The exploit kit exploits six vulnerabilities that Apple already patched in recent iOS updates. These flaws carry the identifiers CVE-2025-43529, CVE-2025-31277, CVE-2025-14174, CVE-2026-20700, CVE-2025-43520, and CVE-2025-43510. iVerify’s analysis shows all documented exploited weaknesses, and Apple handled them in the most recent iOS releases.
UNC6748 became the first adversary spotted using the exploit chain. This group targeted Saudi Arabian users through a fake Snapchat website. By late November 2025, DarkSword surfaced in Turkey in activity linked to PARS Defense, a Turkish commercial surveillance vendor. The attackers focused on devices running iOS 18.4 through 18.7.
According to Google researchers, “unlike the UNC6748 event, this campaign took place with more focus on OPSEC, with obfuscation set to the exploit loader and a few of the exploit stages. AES and ECDH also came into action to encode exploits between the server as well as the victim.”
Russian Espionage Group Joins the Attack
UNC6353, a suspected Russian espionage actor, deployed the Coruna exploit kit last summer. In December 2025, this group switched to DarkSword exploits and began hitting Ukrainian targets.
The campaign ran through March 2026 using watering hole attacks. The hackers compromised legitimate websites and used them to deploy GHOSTBLADE malware for data theft.
Google researchers observed something interesting. Earlier DarkSword attacks by UNC6748 and PARS Defense supported iOS 18.7, but UNC6353 didn’t target that version despite operating later. Earlier this year, another PARS Defense customer used DarkSword in Malaysia to deliver the GHOSTSABER backdoor.
Lookout researchers discovered that both Coruna and DarkSword show signs of development using large language model assistance. DarkSword particularly stands out with multiple code comments explaining functionality.
“This malware is a top-tier class, with a professionally built platform that enables rapid development of modules via access to an advanced programming language,” Lookout states. “This extra step shows a significant effort put into the development of this malware with thoughts about maintainability, long-term development, and extensibility.”
How the Exploit Works and What It Steals
DarkSword attacks start in the Safari browser. Bad actors compromise legit sites and inject malicious iframes into the HTML code. The different exploits then work as a group to get kernel read/write access and run code via a “main orchestrator” component, pe_main.js.
The orchestrator puts a JavaScript plugin into privileged iOS platforms such as App Access, Springboard, Wi-Fi, iCloud, and Keychain. Data-harvesting modules activate and grab saved passwords, photos, WhatsApp and Telegram databases, cryptocurrency wallets from Coinbase, Binance, Ledger, and others, text messages, address books, call history, location history, browser history, cookies, Wi-Fi passwords, Apple Health data, calendars, notes, installed applications, and connected accounts.
DarkSword wipes temporary files and exits after stealing this information. This behavior indicates the malware can’t perform long-term surveillance. Lookout estimates a Russian threat actor with financial objectives operates DarkSword while conducting espionage aligned with Russian intelligence requirements.
The market for these stolen credentials is thriving. Snapchat account takeover kits are being sold for $350,000 on dark web forums, proving that the data harvested by malware like DarkSword has immense value to criminals looking to compromise accounts for fraud, extortion, or further attacks.
iPhone users should upgrade to iOS 26.3.1 immediately. Apple released this version earlier this month with patches for all DarkSword vulnerabilities. Users at high risk should enable Lockdown Mode for additional protection. Apple may backport fixes to older devices as it did with the Coruna exploits, but the company hasn’t confirmed this yet.
