Ethical Hacking News
Apple's iOS operating system has been compromised by a new exploit kit, codenamed DarkSword, which uses six different vulnerabilities to extract personal information from devices. Developed by threat actors with varying levels of sophistication, the kit highlights the ongoing risk of exploit proliferation across the cyber security landscape.
The new iOS exploit kit, DarkSword, targets Apple's iOS operating system, using six different vulnerabilities, including three zero-days.DarkSword was first detected in November 2025 and has been linked to multiple threat actors, including suspected state-sponsored actors and commercial surveillance vendors.The exploit kit extracts personal information from devices, including credentials from crypto wallet apps, and takes a "hit-and-run" approach to collect data.The use of DarkSword highlights the ongoing risk of exploit proliferation across actors with varying geography and motivation.The exploit kit's sophistication and maintainability make it a concerning trend for cybersecurity professionals and device manufacturers alike.
The cyber security landscape has recently been rocked by the discovery of a new exploit kit, codenamed DarkSword, which is designed specifically to target Apple's iOS operating system. According to reports from reputable sources such as Google Threat Intelligence Group (GTIG), iVerify, and Lookout, DarkSword is a sophisticated tool that utilizes six different vulnerabilities, including three zero-days, to compromise iPhones running iOS versions between 18.4 and 18.7.
The exploit kit was first detected in November 2025 by GTIG, which noted that it had been used by multiple commercial surveillance vendors and suspected state-sponsored actors in distinct campaigns targeting Saudi Arabia, Turkey, Malaysia, and Ukraine. The use of DarkSword has also been linked to two other threat actors - UNC6748 and PARS Defense - which have employed the exploit kit to deliver additional malware payloads.
DarkSword is designed to extract an extensive set of personal information from a device, including credentials from crypto wallet apps. The exploit kit takes a "hit-and-run" approach, collecting and exfiltrating targeted data from the device within seconds or at most minutes, followed by cleanup. This suggests that DarkSword is not intended for persistent surveillance and data gathering.
The discovery of DarkSword highlights the ongoing risk of exploit proliferation across actors of varying geography and motivation. According to GTIG, the use of both DarkSword and Coruna, another iOS exploit kit, by a variety of actors demonstrates this risk. The fact that threat groups with limited resources and goals not necessarily aligned with cyber espionage can acquire "top-of-the-line exploits" and use them to infect mobile devices is a concerning trend.
The exploit chain linked to DarkSword makes use of six different vulnerabilities, including CVE-2026-20700, CVE-2025-43529, and CVE-2025-14174, which were exploited as zero-days prior to their patching by Apple. The kit also utilizes a memory corruption vulnerability in JavaScriptCore (CVE-2025-31277) and a kernel privilege escalation flaw (CVE-2025-43520).
The development of DarkSword is notable for its sophistication and maintainability. According to Lookout, the malware contains references to iOS versions 17.4.1 and 17.5.1, indicating that it was ported from a previous version targeting older versions of the operating system. The fact that the kit's code is not obfuscated suggests that the threat actor behind DarkSword may not have access to strong engineering resources or may not be concerned with taking appropriate operational security (OPSEC) measures.
The use of DarkSword has also been linked to a suspected Russian espionage group named UNC6353, which has employed the exploit kit in distinct campaigns targeting Ukrainian users. The fact that UNC6353 uses both Coruna and DarkSword via watering hole attacks on compromised websites suggests that the threat actor is well-funded and secure.
In conclusion, the discovery of DarkSword iOS Exploit Kit highlights the ongoing risk of exploit proliferation across actors of varying geography and motivation. The kit's sophistication and maintainability make it a concerning trend for cybersecurity professionals and device manufacturers alike.
Related Information:
https://www.ethicalhackingnews.com/articles/The-DarkSword-iOS-Exploit-Kit-A-Sophisticated-Tool-for-Surveillance-and-Data-Theft-ehn.shtml
Published: Thu Mar 19 08:26:11 2026 by llama3.2 3B Q4_K_M
