A newly identified iPhone exploit kit called DarkSword has been used to steal a huge amount of personal data, including information from cryptocurrency wallet apps.
The threat targets iPhones running iOS 18.4 to 18.7 and has been linked to several hacking groups. One of them is UNC6353, a suspected Russian threat actor that previously used the Coruna exploit chain revealed earlier this month.
DarkSword was discovered by mobile security company Lookout while researchers were examining infrastructure connected to the Coruna attacks. Google Threat Intelligence Group and iVerify also joined the investigation better to understand the threat and the actors behind it.
According to iVerify, the exploit chain uses flaws that were already known or documented. Apple has already fixed these issues in its latest iOS updates.
DarkSword relies on six vulnerabilities: CVE-2025-31277, CVE-2025-43529, CVE-2026-20700, CVE-2025-14174, CVE-2025-43510, and CVE-2025-43520.
Google says the exploit kit has been active since at least November 2025. During that time, different threat actors used it to deploy three separate malware families.
The first is GHOSTBLADE, a JavaScript data stealing tool that collects a wide range of information. This includes crypto wallet data, system details, browser history, photos, location data, and communications from apps like iMessage, Telegram, WhatsApp, email, and phone records.
The second is GHOSTKNIFE, a backdoor that can steal signed in account details, messages, browser information, location history, and recordings.
The third is GHOSTSABER, another JavaScript backdoor that can inspect devices and accounts, list files, run JavaScript code, and steal data.
The earliest known user of this exploit chain was UNC6748, which targeted people in Saudi Arabia through a fake Snapchat website.
Later in November 2025, DarkSword was also used in Turkey in activity linked to PARS Defense, a Turkish commercial surveillance vendor. These attacks targeted devices running iOS 18.4 to 18.7.
Google said this Turkish campaign showed stronger operational security than the earlier one. The attackers used obfuscation in the exploit chain and encrypted parts of the delivery process using ECDH and AES.
Earlier in 2026, Google researchers also found DarkSword being used in Malaysia by another PARS Defense customer, this time to deploy the GHOSTSABER backdoor.
UNC6353, believed to be connected to Russian espionage, began using DarkSword in December 2025 against Ukrainian targets after previously relying on the Coruna exploit kit.
Those attacks continued into March 2026 through watering hole campaigns, where compromised websites silently delivered the GHOSTBLADE malware to visitors and stole their data.
Google researchers also noted something interesting. Earlier DarkSword campaigns used by UNC6748 and PARS Defense supported iOS 18.7, but they did not see UNC6353 using that same support even though its operations happened later.
Lookout researchers said both Coruna and DarkSword appear to show signs of code expansion with help from large language model tools. In DarkSword, this is especially noticeable because the code includes many comments explaining what different parts do.
Lookout described the malware as highly sophisticated and said it looks like a professionally built platform designed for rapid module development using a high level programming language. The researchers also said the structure suggests a strong focus on long term maintenance, extension, and future development.
Besides the one click DarkSword exploit kit, iVerify also found a separate Safari exploit that included a sandbox escape, privilege escalation, and memory only implants used to steal sensitive data.
DarkSword attacks begin in Safari. The attackers use several exploits to gain kernel read and write access, then run code through a main orchestrator component called pe_main.js.
It is still unclear how the infected websites were compromised in the first place. However, the attackers had enough access to insert malicious iframes into the HTML of those sites.
Once active, the orchestrator injects a JavaScript engine into privileged iOS services such as App Access, Wi Fi, Springboard, Keychain, and iCloud. It then launches data theft modules like GHOSTBLADE to collect information.
The stolen data can include saved passwords, photos, screenshots, hidden image files, WhatsApp and Telegram databases, crypto wallets such as Coinbase, Binance, and Ledger, SMS messages, contacts, call history, location history, browser history, cookies, Wi Fi history and passwords, Apple Health data, calendar entries, notes, installed apps, and connected accounts.
One notable detail is that DarkSword deletes temporary files and shuts down after sending the stolen data back to the attackers. This suggests it was not built for long term surveillance but rather for fast data theft.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
Lookout believes the malware is being used by a Russian threat actor with financial motives, while also supporting espionage goals that may align with Russian intelligence interests.
iPhone users are being urged to update to iOS 26.3.1, the latest version released earlier this month, and to enable Lockdown Mode if they believe they may be at higher risk of targeted attacks.
For users with older iPhones that cannot upgrade to the newest iOS version, Apple may release backported security fixes like it did for the Coruna exploits, but that has not yet been confirmed.
