Ethical Hacking News
A new exploit kit targeting iPhone users, known as DarkSword, has been linked to multiple commercial surveillance vendors and suspected nation-state actors. This malicious software was found to be stealing sensitive information from compromised devices using a sophisticated attack chain that leverages six vulnerabilities to deploy three distinct backdoors. The threat highlights the vulnerability of personal data when users fail to keep their operating systems up-to-date.
Snoops (DarkSword) is a newly discovered malicious software that extracts sensitive information from iOS devices. DarkSword is an exploit kit targeting iPhone users, stealing personal data and cryptocurrency wallet data. The attack chain involves exploiting three vulnerabilities: CVE-2025-31277, CVE-2025-43529, and CVE-2026-20700. Multiple groups, including a suspected Russian espionage crew, are using this exploit kit. Different variations of DarkSword include GhostKnife, GhostSaber, and GhostBlade, with varying levels of sophistication. Users are advised to update their iOS devices to the latest release due to the attack chain's reliance on out-of-date versions.
Snoops, a newly discovered malicious software designed to extract sensitive information from iOS devices, has been linked to several commercial surveillance vendors and suspected nation-state actors. According to recent research published by Google, iVerify, and Lookout, the malware, dubbed DarkSword, has been in use since at least November 2025.
DarkSword is an exploit kit that specifically targets iPhone users and steals a vast array of personal data, including messages, recordings, location history, signed-in accounts, cryptocurrency wallet data, and more. The exploit kit leverages six different vulnerabilities to deploy three distinct backdoors, allowing attackers to execute malicious code on the compromised device.
The attack begins when an unsuspecting user navigates to a malicious website, triggering the DarkSword exploit chain. This process involves exploiting either CVE-2025-31277 or CVE-2025-43529, depending on the iOS version, to achieve remote code execution. The attackers then utilize this access to bypass mitigations by exploiting CVE-2026-20700, which enables them to sidestep Trusted Path Read-Only (TPRO) and Pointer Authentication Codes (PAC) security measures.
The researchers analyzed how the exploit chain unfolds and noted that the attackers target three different vulnerabilities: CVE-2025-14174, which allows exploitation of an Angle out-of-bounds write vulnerability via the GPU process; CVE-2025-43510, a Copy-On-Write vulnerability in the XNU kernel; and CVE-2025-43520, which is used to escalate privileges in the kernel.
Google's threat intelligence team discovered that multiple groups, including a suspected Russian espionage crew tracked as UNC6353, are using this exploit kit. This group, also known as UNC6748, has been targeting Saudi Arabian users through Snapchat-themed websites like snapshare[.]chat. Another commercial surveillance vendor, PARS Defense, was observed using the exploit against Turkish iOS users.
A different variation of DarkSword, dubbed GhostKnife, was found to be deployed by the attackers to steal sensitive data from compromised devices. This backdoor includes modules for stealing signed-in accounts, messages, browser data, location history, and recordings. Additionally, it downloads files from a command-and-control server, takes screenshots, and records audio from the device's microphone.
Another variation, GhostSaber, was found in DarkSword campaigns targeting Turkish iOS users. This backdoor contains capabilities such as device and account enumeration, file listing, data exfiltration, and remote JavaScript code execution. However, its samples contained references to several commands lacking necessary code to be executed, indicating a lower level of sophistication compared to other variants.
Google also tracked UNC6353 using DarkSword in a new watering hole campaign targeting Ukrainian users, deploying a backdoor dubbed GhostBlade. This backdoor collects a vast array of data from compromised devices and sends it to an attacker-controlled server over HTTPS. Unlike GHOSTKNIFE and GHOSTSABER, GhostBlade is less capable and lacks additional modules or backdoor-like functionality.
The fact that both DarkSword and the earlier Coruna exploit kit steal sensitive data and cryptocurrency has led researchers to conclude that UNC6353, a suspected nation-state actor, is a well-funded but technically less sophisticated threat actor with goals including financial gain and espionage aligned with Russian intelligence requirements.
Apple was unavailable for comment on the matter. The attack chain's reliance on out-of-date iOS versions makes it crucial for users to update their devices to the latest release.
Related Information:
https://www.ethicalhackingnews.com/articles/Snoops-Plant-Info-Stealing-Malware-on-iPhones-Google-Warns-ehn.shtml
Published: Wed Mar 18 17:38:49 2026 by llama3.2 3B Q4_K_M
