Ethical Hacking News
DarkSword, a new and highly sophisticated iOS exploit kit, has been discovered by researchers at Lookout Threat Labs. The tool is being used by multiple threat actors to steal sensitive data from Apple devices, highlighting the growing risk of exploit proliferation across actors of varying geography and motivation.
DarkSword is a new iOS exploit kit used by multiple threat actors to steal sensitive data from Apple devices. The tool targets iPhones running iOS 18.4-18.7 and allows attackers to exfiltrate data in a "hit-and-run" approach. DarkSword enables near full device access with minimal user interaction, highlighting the risk of exploit proliferation. The actor behind DarkSword, UNC6353, is a largely unknown group with dual motives targeting intelligence and financial data. The discovery of DarkSword highlights the growing threat of exploit proliferation across actors of varying geography and motivation. The use of DarkSword on a secondary market underscores the need for faster patching and stronger mobile defenses.
DarkSword, a new and highly sophisticated iOS exploit kit, has been making headlines in recent weeks due to its involvement in various global attacks targeting high-profile individuals and organizations. The tool, discovered by researchers at Lookout Threat Labs, is being used by multiple threat actors, including surveillance vendors and likely nation-state actors, to steal sensitive data from Apple devices.
The discovery of DarkSword has sent shockwaves throughout the cybersecurity community, as it highlights the growing threat of exploit proliferation across actors of varying geography and motivation. The tool's use by both DarkSword and Coruna by a variety of actors demonstrates the ongoing risk of exploit proliferation, underscoring the need for faster patching and stronger mobile defenses.
DarkSword targets iPhones running iOS 18.4-18.7 and has been used by the suspected Russian-linked group UNC6353 against Ukrainian targets. It allows attackers to steal sensitive data, including credentials and crypto wallet information, then quickly exfiltrates it in a "hit-and-run" approach before cleaning traces. The exploits appear to be linked to Coruna exploits, DarkSword enables near full device access with minimal user interaction, showing how advanced exploits are now available on a secondary market to a wider range of threat actors.
The actor behind the exploit, UNC6353, remains a largely unknown group but has used advanced iOS exploit chains in watering hole attacks on Ukrainian websites. Likely well-funded, it appears to rely on third-party or brokered exploits, possibly linked to Russian ecosystems. The group targets both intelligence and financial data, including crypto assets, suggesting dual motives.
DarkSword shows a troubling trend: advanced iOS exploit chains are being sold on a secondary market, letting even less skilled actors launch powerful attacks. These near zero-click watering hole campaigns are stealthy and bypass user awareness. Once infected, devices face full compromise, with risks to both personal and corporate data, highlighting the urgent need for faster patching and stronger mobile defenses.
The discovery of DarkSword as the second iOS exploit chain found in the hands of this at least partially financially motivated threat actor reveals a worrying trend. There appears to be a secondary market for technically sophisticated exploit chains in which unscrupulous sellers are willing to serve buyers with little or no concerns for how they are going to be used. These groups can then easily customize these kits into malware for their specific purposes, possibly with the help of AI.
Google GTIG experts found multiple actors using DarkSword since November 2025, and believes other surveillance vendors or threat groups are likely using the exploit chain as well. The use of both DarkSword and Coruna by a variety of actors demonstrates the ongoing risk of exploit proliferation across actors of varying geography and motivation.
The impact of DarkSword on the cybersecurity landscape cannot be overstated. As an exploit kit, it has the potential to compromise millions of Apple devices worldwide, putting sensitive data at risk. The fact that it is being sold on a secondary market highlights the growing threat of exploit proliferation, underscoring the need for faster patching and stronger mobile defenses.
In conclusion, DarkSword represents a significant threat to the security of Apple devices and users around the world. As a powerful iOS exploit tool, it has been used by multiple threat actors to steal sensitive data from high-profile individuals and organizations. The discovery of DarkSword highlights the growing risk of exploit proliferation across actors of varying geography and motivation, underscoring the need for faster patching and stronger mobile defenses.
Related Information:
https://www.ethicalhackingnews.com/articles/Unveiling-the-Shadow-Market-How-DarkSword-Became-a-Powerhouse-iOS-Exploit-Tool-for-Nation-State-Actors-ehn.shtml
Published: Thu Mar 19 13:48:19 2026 by llama3.2 3B Q4_K_M
