Darksword iOS Exploit Unleashes Infostealer Attack on iPhones, Exposing Users to Critical Security Risks
Newly Discovered iOS Exploit Kit “DarkSword” Linked to Infostealer Attacks
A newly discovered iOS exploit kit, dubbed “DarkSword,” has been linked to a series of infostealer attacks targeting iPhone users. The exploit kit, which affects devices running iOS 18.4 through 18.7, is believed to be the work of multiple threat actors, including UNC6353, a suspected Russian espionage group.
Discovery and Analysis
Researchers at Lookout, a mobile security firm, discovered DarkSword while investigating the infrastructure used in the Coruna attacks, which were disclosed earlier this month. Google’s Threat Intelligence Group and iVerify collaborated on a comprehensive analysis of the DarkSword threat, revealing that the exploit kit uses six known vulnerabilities, tracked as CVE-2025-31277, CVE-2025-43529, CVE-2026-20700, CVE-2025-14174, CVE-2025-43510, and CVE-2025-43520.
Malware Families and Data Exfiltration
The DarkSword exploit kit has been used since at least November 2025 by several threat actors, who deployed three separate malware families: GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER. These malware variants can exfiltrate a wide range of sensitive data, including cryptocurrency wallet information, system and connectivity data, browser history, photos, location and mobility data, communication data from iMessage and Telegram, and more.
Observed Uses and Actors
One of the earliest observed uses of the DarkSword exploit chain was by UNC6748, which targeted Saudi Arabian users via a website impersonating Snapchat. Later, in late November 2025, DarkSword was used in Turkey by PARS Defense, a Turkish commercial surveillance vendor, on devices running iOS 18.4-18.7.
UNC6353, the suspected Russian espionage actor, has been using the Coruna exploit kit since last summer and began leveraging DarkSword exploits against Ukrainian targets in December 2025. The activity continued through March 2026 in watering hole attacks with compromised websites that deployed the GHOSTBLADE malware.
Codebase Expansion and Delivery Chain
Researchers note that DarkSword exhibits signs of codebase expansion using large language model (LLM) assistance, indicating a significant effort put into the development of this malware. The exploit kit uses a sophisticated delivery chain, beginning in the Safari browser, where multiple exploits are used to obtain kernel read/write access and execute code through a main orchestrator component.
The orchestrator injects a JavaScript engine into privileged iOS services, such as App Access, Wi-Fi, Springboard, Keychain, and iCloud, and then activates data-stealing modules that collect sensitive information, including saved passwords, photos, cryptocurrency wallets, text messages, address book data, call history, location history, browser history, cookies, Wi-Fi history, and passwords, as well as Apple Health data, calendar data, notes, installed applications, and connected accounts.
Risk and Mitigation
Notably, DarkSword wipes temporary files and exits after exfiltrating data, indicating that it was not designed for long-term surveillance operations. Researchers estimate that DarkSword is used by a Russian threat actor with financial objectives, while also conducting espionage aligned with Russian intelligence requirements.
iPhone users who are using older devices that do not qualify for an update to the latest iOS version may be at risk, although Apple may backport fixes as it did with the Coruna exploits. Users are advised to update their devices to the latest iOS version to protect against the DarkSword exploit kit.
About Author
English