New DarkSword iOS exploit used in infostealer attack on iPhones

by · BleepingComputer

A new exploit kit for iOS devices and delivery framework dubbed “DarkSword” has been used to steal a wide range of personal information, including data from cryptocurrency wallet apps.

DarkSword targets iPhones running iOS 18.4 through 18.7 and is linked to multiple actors, including UNC6353, suspected to be Russian, who used the Coruna exploit chain disclosed earlier this month.

Researchers at mobile security company Lookout discovered DarkSword while investigating the infrastructure used for the Coruna attacks. Google’s Threat Intelligence Group and iVerify also collaborated for a more comprehensive analysis of this previously unknown threat and the adversaries leveraging it.

iVerify's findings indicate that all flaws (sandbox escape, privilege escalation, remote code execution) exploited in this exploit chain are known or documented, and Apple has already addressed them in the latest iOS releases.

The DarkSword exploit kit uses six vulnerabilities tracked as CVE-2025-31277, CVE-2025-43529, CVE-2026-20700, CVE-2025-14174, CVE-2025-43510, and CVE-2025-43520.

Loading the right exploit script based on the detected iOS version
Source: Lookout

DarkSword attacks

In a report today, Google Threat Intelligence Group (GTIG) says that DarkSword has been used since at least November 2025 by several threat actors, who deployed three separate malware families:

  • GHOSTBLADE, a dataminer in JavaScript that steals a swath of information, including crypto wallet data, system and connectivity info, browser history, photos, location and mobility, communication data from iMessage, Telegram, WhatsApp, email, calls, and contacts
  • GHOSTKNIFE, a backdoor that can exfiltrate various types of data (signed-in accounts, messages, browser data, location history, recordings)
  • GHOSTSABER, a JavaScript backdoor that can enumerate devices and accounts, list files, execute JavaScript code, and steal data

The first adversary observed using the exploit chain is UNC6748, in attacks targeting Saudi Arabian users via a website impersonating Snapchat.

GTIG says that in late November 2025, DarkSword was used in Turkey, in activity associated with PARS Defense, a Turkish commercial surveillance vendor, on devices running  iOS 18.4-18.7.

"Unlike the UNC6748 activity, this campaign was carried out with more attention to OPSEC, with obfuscation applied to the exploit loader and some of the exploit stages, and the use of ECDH and AES to encrypt exploits between the server and the victim," GTIG notes.

Earlier this year, Google researchers noticed DarkSword being used in Malaysia by another PARS Defense customer delivering the GHOSTSABER backdoor.

UNC6353, a suspected Russian espionage actor, has been using the Coruna exploit kit since last summer, and in December 2025 started leveraging DarkSword exploits against Ukrainian targets.

The activity continued through March 2026 in watering hole attacks with compromised websites that deploy the GHOSTBLADE malware to exfitrate data from compromised targets.

An observation from Google researchers is that although "earlier DarkSword use attributed to UNC6748 and PARS Defense also supported iOS 18.7, we did not observe that from UNC6353, despite their later operational timeline."

Actors using the DarkSword iOS exploit kit
source: GTIG

According to Lookout researchers, both Coruna and DarkSword exhibit signs of codebase expansion using large language model (LLM) assistance. This is particularly visible in the case of DarkSword, which has multiple comments that explain the code functionality.

“This malware is highly sophisticated and appears to be a professionally designed platform enabling rapid development of modules through access to a high level programming language,” Lookout says.

“This extra step shows a significant effort put into the development of this malware with thoughts about maintainability, long-term development and extensibility.”

DarkSword delivery chain

Apart from the 1-click DarkSword exploit kit, iVerify also found a Safari exploit with "sandbox escape, privilege escalation, and in-memory implants" that stole sensitive data from devices.

DarkSword attacks begin in the Safari browser, where multiple exploits are used to obtain kernel read/write access, and then execute code through a main orchestrator component (pe_main.js).

It is unknown how the websites that launched these attacks were compromised in the first place, but the threat actors had sufficient rights to infect malicious iframes in the HTML code of these sites.

Malicious iframe on a Ukrainian government site
Source: Lookout

The orchestrator injects a JavaScript engine into privileged iOS services such as App Access, Wi-Fi, Springboard, Keychain, and iCloud, and then activates data-stealing modules (e.g., GHOSTBLADE) that collect the following information:

  • Saved passwords
  • Photos, including screenshots and hidden image files
  • WhatsApp and Telegram databases
  • Cryptocurrency wallets (Coinbase, Binance, Ledger, and others)
  • Text messages (SMS)
  • Address book
  • Call history
  • Location history
  • Browser history
  • Cookies
  • Wi-Fi history and passwords
  • Apple Health data
  • Calendar
  • Notes
  • Installed applications
  • Connected accounts

Notably, DarkSword wipes temporary files and exits when the above is exfiltrated to the threat actors, indicating that it was not designed for long-term surveillance operations.

Lookout estimates that DarkSword is used by a Russian threat actor with financial objectives, while also conducting espionage aligned with Russian intelligence requirements.

iPhone users are recommended to upgrade to iOS 26.3.1 (latest), released earlier this month, and enable Lockdown Mode if at high risk of being targeted by malware.

For those using older devices that don’t qualify for an update to the latest iOS version, Apple may backport fixes as it did with the Coruna exploits, but this hasn’t been confirmed yet.

Update [March 18, 11:39]Article updated with information from the Google Threat Intelligence Group about the DarkSide exploit kit, available to BleepingComputer after publishing time.

Red Report 2026: Why Ransomware Encryption Dropped 38%

Malware is getting smarter. The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight.

Download our analysis of 1.1 million malicious samples to uncover the top 10 techniques and see if your security stack is blinded.

Download The Report