Ethical Hacking News
Apple iOS users are being targeted with a new exploit kit called DarkSword that can steal sensitive data such as cryptocurrency wallet information, browser history, photos, location history, and more. The first known attack was seen in Saudi Arabia, but this threat is far from over as multiple actors have linked it to further attacks.
DarkSword is an exploit kit that targets iPhones running on iOS 18.4 through 18.7. The DarkSword exploit kit uses six vulnerabilities to infect devices. The malware has been linked to multiple actors, including suspected Russian espionage actors. DarkSword is highly sophisticated and can be used for financial gain and espionage purposes. Users should upgrade to the latest version of iOS 26.3.1 and enable Lockdown Mode to protect themselves from this threat.
A new threat has emerged in the form of an exploit kit called "DarkSword" that targets iPhones running on iOS 18.4 through 18.7. This exploit kit is linked to multiple actors, including UNC6353, suspected to be Russian, who used the Coruna exploit chain disclosed earlier this month.
The DarkSword exploit kit uses six vulnerabilities tracked as CVE-2025-31277, CVE-2025-43529, CVE-2026-20700, CVE-2025-14174, CVE-2025-43510, and CVE-2025-43520. According to researchers at mobile security company Lookout, this malware is highly sophisticated and appears to be a professionally designed platform enabling rapid development of modules through access to a high-level programming language.
The DarkSword exploit kit was discovered by Lookout while investigating the infrastructure used for the Coruna attacks. Google's Threat Intelligence Group and iVerify also collaborated on a more comprehensive analysis of this previously unknown threat and the adversaries leveraging it.
According to researchers, both Coruna and DarkSword exhibit signs of codebase expansion using large language model (LLM) assistance. This is particularly visible in the case of DarkSword, which has multiple comments that explain the code functionality.
In a report today, Google Threat Intelligence Group says that DarkSword has been used since at least November 2025 by several threat actors, who deployed three separate malware families: GHOSTBLADE, a dataminer in JavaScript that steals a swath of information, including crypto wallet data, system and connectivity info, browser history, photos, location and mobility, communication data from iMessage, Telegram, WhatsApp, email, calls, and contacts; GHOSTKNIFE, a backdoor that can exfiltrate various types of data (signed-in accounts, messages, browser data, location history, recordings); and GHOSTSABER, a JavaScript backdoor that can enumerate devices and accounts, list files, execute JavaScript code, and steal data.
The first adversary observed using the exploit chain is UNC6748, in attacks targeting Saudi Arabian users via a website impersonating Snapchat. The activity continued through March 2026 in watering hole attacks with compromised websites that deploy the GHOSTBLADE malware to exfiltrate data from compromised targets.
DarkSword was used by another PARS Defense customer delivering the GHOSTSABER backdoor earlier this year, and UNC6353, a suspected Russian espionage actor, has been using the Coruna exploit kit since last summer, and in December 2025 started leveraging DarkSword exploits against Ukrainian targets. The activity continued through March 2026.
Apple has already addressed these vulnerabilities in the latest iOS releases, but users running on older versions of the operating system are still at risk. Lookout estimates that DarkSword is used by a Russian threat actor with financial objectives, while also conducting espionage aligned with Russian intelligence requirements.
To protect themselves from this new threat, iPhone users are recommended to upgrade to the latest version of iOS 26.3.1 (released earlier this month) and enable Lockdown Mode if at high risk of being targeted by malware.
In conclusion, DarkSword is a highly sophisticated malware kit that targets iPhones running on vulnerable versions of iOS. Its use has been linked to multiple actors, including suspected Russian espionage actors, who are using it for both financial gain and espionage purposes. Users should take immediate action to protect themselves from this new threat by upgrading their operating system and enabling Lockdown Mode.
Related Information:
https://www.ethicalhackingnews.com/articles/New-DarkSword-iOS-Exploit-Kit-Used-to-Steal-Personal-Data-from-iPhones-ehn.shtml
Published: Thu Mar 19 04:56:01 2026 by llama3.2 3B Q4_K_M
