A newly identified exploit kit named “DarkSword” is being used to target iOS devices and extract a wide range of sensitive user information, including data from cryptocurrency wallet applications.
The threat specifically impacts iPhones running iOS versions 18.4 to 18.7 and has been linked to multiple threat actors. Among them is UNC6353, believed to have Russian origins, which leveraged the previously disclosed Coruna exploit chain earlier this month.
The exploit kit was uncovered by researchers at mobile security firm Lookout during an investigation into infrastructure tied to Coruna-based attacks. The analysis was further supported by Google’s Threat Intelligence Group (GTIG) and iVerify, providing deeper insights into this emerging threat and the groups behind it. According to iVerify, the exploit chain relies on already known vulnerabilities—covering sandbox escape, privilege escalation, and remote code execution—that have since been patched by Apple in recent iOS updates.
DarkSword operates using six vulnerabilities tracked as CVE-2025-31277, CVE-2025-43529, CVE-2026-20700, CVE-2025-14174, CVE-2025-43510, and CVE-2025-43520.
According to a report from GTIG, the exploit kit has been active since at least November 2025 and has been deployed by several actors using three distinct malware families:
- GHOSTBLADE: A JavaScript-based data stealer that collects extensive information such as cryptocurrency wallet details, system data, browsing history, photos, location, and communications from platforms like iMessage, Telegram, WhatsApp, email, and call logs.
- GHOSTKNIFE: A backdoor capable of extracting account credentials, messages, browsing data, location history, and recordings.
- GHOSTSABER: Another JavaScript-based backdoor that can enumerate devices and accounts, execute scripts, access files, and steal data.
The earliest observed use of this exploit chain is attributed to UNC6748, which targeted users in Saudi Arabia through a website mimicking Snapchat.
GTIG also reported that in late November 2025, DarkSword activity was detected in Turkey and linked to PARS Defense, a commercial surveillance vendor. These attacks targeted devices running iOS 18.4 through 18.7.
"Unlike the UNC6748 activity, this campaign was carried out with more attention to OPSEC, with obfuscation applied to the exploit loader and some of the exploit stages, and the use of ECDH and AES to encrypt exploits between the server and the victim," GTIG notes.
Subsequently, Google researchers observed similar activity in Malaysia, where another PARS Defense client deployed the GHOSTSABER backdoor.
UNC6353, suspected to be involved in Russian espionage operations, has been using the Coruna exploit kit since mid-2025 and began deploying DarkSword in December 2025 against targets in Ukraine. These attacks continued into March 2026, primarily through watering hole campaigns involving compromised websites that delivered the GHOSTBLADE malware.
Researchers also noted that although "earlier DarkSword use attributed to UNC6748 and PARS Defense also supported iOS 18.7, we did not observe that from UNC6353, despite their later operational timeline."
Lookout researchers highlighted that both Coruna and DarkSword show signs of development aided by large language models (LLMs), with DarkSword containing multiple explanatory code comments.
“This malware is highly sophisticated and appears to be a professionally designed platform enabling rapid development of modules through access to a high level programming language,” Lookout says.
“This extra step shows a significant effort put into the development of this malware with thoughts about maintainability, long-term development and extensibility.”
In addition to the one-click exploit kit, iVerify identified a Safari-based exploit chain involving sandbox escape, privilege escalation, and in-memory implants capable of extracting sensitive data.
DarkSword attacks typically begin in the Safari browser, where multiple exploits are chained together to gain kernel-level read/write access. A central orchestrator component (pe_main.js) is then used to execute malicious code.
While the initial compromise vector remains unclear, attackers were able to inject malicious iframes into targeted websites. The orchestrator then embeds a JavaScript engine into high-privilege iOS services such as App Access, Wi-Fi, Springboard, Keychain, and iCloud, enabling data exfiltration via modules like GHOSTBLADE.
The stolen data may include:
- Saved passwords
- Photos (including hidden and screenshots)
- Messaging app databases (WhatsApp, Telegram)
- Cryptocurrency wallets (Coinbase, Binance, Ledger, etc.)
- SMS messages
- Contacts and call history
- Location and browsing history
- Cookies and Wi-Fi credentials
- Apple Health data
- Calendar entries and notes
- Installed apps and linked accounts
Notably, the malware deletes temporary files and exits after exfiltration, suggesting it is not designed for persistent surveillance.
Lookout assesses that DarkSword is likely used by a Russian-linked threat actor pursuing both financial gain and espionage objectives aligned with national intelligence interests.
Users are strongly advised to update their devices to the latest iOS version. Devices with Lockdown Mode enabled are also protected against both Coruna and DarkSword.
In a statement to BleepingComputer, Apple confirmed that patches addressing these vulnerabilities were released last year and extended to older devices as well. The company noted that users running iOS 15 through iOS 26 are already protected, and that devices on iOS 17 and later benefit from the Memory Integrity Enforcement feature, which mitigates such attacks.
To enhance security, users should enable passcodes, use strong passwords with two-factor authentication, avoid sideloading apps, and refrain from clicking on suspicious links or attachments.
