A newly identified exploit kit named “DarkSword” is being used to target iOS devices and extract a wide range of sensitive user information, including data from cryptocurrency wallet applications.
The threat specifically impacts iPhones running iOS versions 18.4 to 18.7 and has been linked to multiple threat actors. Among them is UNC6353, believed to have Russian origins, which leveraged the previously disclosed Coruna exploit chain earlier this month.
The exploit kit was uncovered by researchers at mobile security firm Lookout during an investigation into infrastructure tied to Coruna-based attacks. The analysis was further supported by Google’s Threat Intelligence Group (GTIG) and iVerify, providing deeper insights into this emerging threat and the groups behind it. According to iVerify, the exploit chain relies on already known vulnerabilities—covering sandbox escape, privilege escalation, and remote code execution—that have since been patched by Apple in recent iOS updates.
DarkSword operates using six vulnerabilities tracked as CVE-2025-31277, CVE-2025-43529, CVE-2026-20700, CVE-2025-14174, CVE-2025-43510, and CVE-2025-43520.
According to a report from GTIG, the exploit kit has been active since at least November 2025 and has been deployed by several actors using three distinct malware families:
- GHOSTBLADE: A JavaScript-based data stealer that collects extensive information such as cryptocurrency wallet details, system data, browsing history, photos, location, and communications from platforms like iMessage, Telegram, WhatsApp, email, and call logs.
- GHOSTKNIFE: A backdoor capable of extracting account credentials, messages, browsing data, location history, and recordings.
- GHOSTSABER: Another JavaScript-based backdoor that can enumerate devices and accounts, execute scripts, access files, and steal data.
The earliest observed use of this exploit chain is attributed to UNC6748, which targeted users in Saudi Arabia through a website mimicking Snapchat.
GTIG also reported that in late November 2025, DarkSword activity was detected in Turkey and linked to PARS Defense, a commercial surveillance vendor. These attacks targeted devices running iOS 18.4 through 18.7.
“Unlike the UNC6748 activity, this campaign was carried out with more attention to OPSEC, with obfuscation applied to the exploit loader and some of the exploit stages, and the use of ECDH and AES to encrypt exploits between the server and the victim,” GTIG notes.
Subsequently, Google researchers observed similar activity in Malaysia, where another PARS Defense client deployed the GHOSTSABER backdoor.
UNC6353, suspected to be involved in Russian espionage operations, has been using the Coruna exploit kit since mid-2025 and began deploying DarkSword in December 2025 against targets in Ukraine. These attacks continued into March 2026, primarily through watering hole campaigns involving compromised websites that delivered the GHOSTBLADE malware.
Researchers also noted that although “earlier DarkSword use attributed to UNC6748 and PARS Defense also supported iOS 18.7, we did not observe that from UNC6353, despite their later operational timeline.”
Lookout researchers highlighted
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: