Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

New “Darksword” iOS Exploit Used in Sophisticated Infostealer Attack on iPhones



A new "Darksword" iOS exploit has been used in a sophisticated infostealer attack on iPhones, according to recent research by Lookout and Google's Threat Intelligence Group. The DarkSword exploit kit targets devices running iOS 18.4 through 18.7, using six known or documented vulnerabilities, including those disclosed earlier this month with the Coruna exploit chain. Experts warn that iPhone users should upgrade to the latest version of iOS as soon as possible.

  • A sophisticated infostealer attack targeting iPhones has been discovered using a new exploit kit called "DarkSword".
  • The attack uses six known vulnerabilities and exploits multiple Safari browser exploits to obtain kernel read/write access.
  • The DarkSword attack collects sensitive information such as saved passwords, photos, and cryptocurrency wallets.
  • The attacks started in November 2025, targeting Saudi Arabian users via a website impersonating Snapchat.
  • Experts estimate that the attack is used by a Russian threat actor with financial objectives, conducting espionage aligned with Russian intelligence requirements.
  • IPhone users are advised to upgrade to iOS 26.3.1 (latest) or enable Lockdown Mode if at high risk of being targeted by malware.



    • A recent discovery by mobile security company Lookout has shed light on a sophisticated infostealer attack targeting iPhones, which utilizes a new exploit kit dubbed "DarkSword." This attack was first observed using the Coruna exploit chain disclosed earlier this month. Researchers at Lookout discovered DarkSword while investigating the infrastructure used for the Coruna attacks.

    Further analysis by Google's Threat Intelligence Group and iVerify revealed that all flaws exploited in this exploit chain are known or documented, and Apple has already addressed them in the latest iOS releases. The DarkSword exploit kit uses six vulnerabilities tracked as CVE-2025-31277, CVE-2025-43529, CVE-2026-20700, CVE-2025-14174, CVE-2025-43510, and CVE-2025-43520.

    The DarkSword attack begins in the Safari browser, where multiple exploits are used to obtain kernel read/write access. After this, it executes code through a main orchestrator component (pe_main.js). It injects a JavaScript engine into privileged iOS services such as App Access, Wi-Fi, Springboard, Keychain, and iCloud. Then, it activates data-stealing modules that collect sensitive information from the targeted devices.

    These stolen data points include saved passwords, photos, WhatsApp and Telegram databases, cryptocurrency wallets (Coinbase, Binance, Ledger, and others), text messages (SMS), address book, call history, location history, browser history, cookies, Wi-Fi history and passwords, Apple Health data, calendar, notes, installed applications, and connected accounts.

    The DarkSword attacks started in November 2025, using the Coruna exploit chain against Saudi Arabian users via a website impersonating Snapchat. A Turkish commercial surveillance vendor was also involved, targeting devices running iOS 18.4-18.7. In earlier this year, researchers noticed that DarkSword was used in Malaysia by another PARS Defense customer delivering the GHOSTSABER backdoor.

    Google’s Threat Intelligence Group has noted that although "earlier DarkSword use attributed to UNC6748 and PARS Defense also supported iOS 18.7, we did not observe that from UNC6353, despite their later operational timeline."

    According to Lookout researchers, both Coruna and DarkSword exhibit signs of codebase expansion using large language model (LLM) assistance. This is particularly visible in the case of DarkSword, which has multiple comments that explain the code functionality.

    The orchestrator injects a JavaScript engine into privileged iOS services such as App Access, Wi-Fi, Springboard, Keychain, and iCloud, and then activates data-stealing modules (e.g., GHOSTBLADE) that collect sensitive information from devices. DarkSword wipes temporary files and exits when the above is exfiltrated to the threat actors, indicating that it was not designed for long-term surveillance operations.

    Experts estimate that DarkSword is used by a Russian threat actor with financial objectives, while also conducting espionage aligned with Russian intelligence requirements.

    iPhone users are recommended to upgrade to iOS 26.3.1 (latest), released earlier this month, and enable Lockdown Mode if at high risk of being targeted by malware. For those using older devices that don’t qualify for an update to the latest iOS version, Apple may backport fixes as it did with the Coruna exploits, but this hasn’t been confirmed yet.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/New-Darksword-iOS-Exploit-Used-in-Sophisticated-Infostealer-Attack-on-iPhones-ehn.shtml

  • https://www.bleepingcomputer.com/news/security/new-darksword-ios-exploit-used-in-infostealer-attack-on-iphones/

  • https://www.financialcontent.com/article/bizwire-2026-3-18-lookout-uncovers-darksword-ios-exploit-chain-exposing-a-new-era-of-mobile-threats

  • https://www.lookout.com/threat-intelligence/article/darksword

  • https://nvd.nist.gov/vuln/detail/CVE-2025-31277

  • https://www.cvedetails.com/cve/CVE-2025-31277/

  • https://nvd.nist.gov/vuln/detail/CVE-2025-43529

  • https://www.cvedetails.com/cve/CVE-2025-43529/

  • https://nvd.nist.gov/vuln/detail/CVE-2026-20700

  • https://www.cvedetails.com/cve/CVE-2026-20700/

  • https://nvd.nist.gov/vuln/detail/CVE-2025-14174

  • https://www.cvedetails.com/cve/CVE-2025-14174/

  • https://nvd.nist.gov/vuln/detail/CVE-2025-43510

  • https://www.cvedetails.com/cve/CVE-2025-43510/

  • https://nvd.nist.gov/vuln/detail/CVE-2025-43520

  • https://www.cvedetails.com/cve/CVE-2025-43520/


    • Published: Wed Mar 18 10:56:18 2026 by llama3.2 3B Q4_K_M


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us