DarkSword iOS Exploit Kit Hijacks iPhones with 3 Zero-Days
▼ Summary
– A new iOS exploit kit called DarkSword has been active since at least November 2025, used by multiple threat actors to steal sensitive data from iPhones running iOS versions 18.4 to 18.7.
– The kit uses a chain of six vulnerabilities, including three zero-days, to gain full device access and exfiltrate data like credentials, messages, and crypto wallet information in a rapid “hit-and-run” fashion.
– It has been deployed in campaigns targeting users in Ukraine, Saudi Arabia, Turkey, and Malaysia by actors including the suspected Russian group UNC6353 and commercial surveillance vendors.
– DarkSword represents the second major iOS exploit kit discovered in a month, following Coruna, highlighting the proliferation of sophisticated mobile exploits in a second-hand market.
– The attacks typically begin when users visit compromised websites via Safari, where malicious code fingerprints the device and launches the exploit chain to install data-stealing malware like GHOSTBLADE.
A sophisticated new exploit kit targeting Apple iPhones has been identified by security researchers, marking the second such toolkit discovered in a single month. Dubbed DarkSword, this malicious framework leverages a chain of six vulnerabilities, including three previously unknown zero-days, to hijack devices and steal a vast array of sensitive personal data. The kit is designed to target iPhones running iOS versions 18.4 through 18.7 and has been deployed by multiple threat actors in campaigns across several countries.
According to reports from Google Threat Intelligence Group, iVerify, and Lookout, commercial surveillance vendors and suspected state-sponsored groups have used DarkSword in distinct operations. These campaigns have focused on users in Saudi Arabia, Turkey, Malaysia, and Ukraine. The kit follows the recent discovery of another iOS exploit framework called Coruna, indicating a troubling proliferation of advanced mobile attack tools.
A suspected Russian espionage group tracked as UNC6353 has been linked to deploying DarkSword against Ukrainian users. This same group was previously associated with the Coruna kit. Security analysts note that DarkSword is engineered for rapid data theft, specifically targeting credentials and information from a wide range of cryptocurrency wallet applications. This suggests a strong financial motivation behind its use. The malware operates with a “hit-and-run” methodology, collecting and exfiltrating targeted data within minutes before cleaning up its traces to minimize detection.
Exploit chains like DarkSword provide complete device access with minimal user interaction, highlighting a growing second-hand market for powerful vulnerabilities. This market allows less-resourced threat groups to acquire and deploy top-tier exploits for purposes ranging from cyber espionage to financial crime. The use of both DarkSword and Coruna by various actors demonstrates the ongoing risk of exploit proliferation across groups with different geographic bases and motives.
The DarkSword chain utilizes six vulnerabilities to deploy three payloads. Among these, CVE-2026-20700, CVE-2025-43529, and CVE-2025-14174 were exploited as zero-days before Apple issued patches. The full list includes memory corruption flaws in JavaScriptCore and ANGLE, a PAC bypass in dyld, and memory management issues in the iOS kernel. Lookout discovered DarkSword while analyzing malicious infrastructure tied to UNC6353, finding a compromised domain that hosted a malicious iFrame. This iFrame loads JavaScript to fingerprint visiting devices and determine if they should be routed to the iOS exploit chain.
Notably, the initial JavaScript specifically sought devices running iOS versions 18.4 to 18.6.2, unlike the Coruna kit which targeted older versions from 13.0 through 17.2.1. DarkSword is a complete exploit chain and information-stealer written in JavaScript. It leverages multiple vulnerabilities to achieve privileged code execution, access sensitive data, and exfiltrate it from the device.
The attack begins when a user visits a compromised webpage via Safari that contains the malicious iFrame. DarkSword then breaks out of Safari’s WebContent sandbox and uses WebGPU to inject code into `mediaplaybackd`, a system daemon that handles media playback. This allows a data-stealing malware component called GHOSTBLADE to access privileged processes and restricted areas of the file system. After privilege escalation, an orchestrator module loads additional components to harvest data and injects an exfiltration payload into Springboard to send the stolen information to an external server.
The scope of stolen data is extensive, including emails, iCloud Drive files, contacts, SMS messages, Safari history and cookies, cryptocurrency data, usernames, passwords, photos, call logs, Wi-Fi configurations, location history, calendar entries, cellular information, installed app lists, and data from messaging apps like Telegram and WhatsApp.
Technical analysis reveals that DarkSword weaponizes JavaScriptCore JIT vulnerabilities to achieve remote code execution, then escapes the sandbox by pivoting through the GPU process. It uses two separate sandbox escape vulnerabilities to move from the WebContent sandbox into the GPU process, and then from the GPU process into `mediaplaybackd`. Finally, a kernel privilege escalation flaw is used to gain arbitrary read/write capabilities and execute the injected JavaScript code.
Lookout describes the malware as “highly sophisticated” and a professionally designed platform that enables rapid module development. References within the JavaScript files to iOS versions 17.4.1 and 17.5.1 suggest the kit was ported from an earlier version targeting older operating systems. Unlike many spyware tools, DarkSword is not designed for persistent surveillance. It aims to minimize dwell time, exfiltrating identified data as quickly as possible before cleaning up and exiting.
Little is known about UNC6353 beyond its use of watering hole attacks on compromised Ukrainian websites to deliver both Coruna and DarkSword. This indicates the group is likely well-funded to acquire high-quality iOS exploit chains, possibly developed for commercial surveillance. Analysts assess that UNC6353 is a technically less sophisticated actor whose motives align with Russian intelligence requirements. The lack of code obfuscation and the simple design of its infrastructure suggest the group may not have strong engineering resources or may be unconcerned with operational security.
DarkSword has also been linked to two other threat actors. A group tracked as UNC6748 targeted Saudi Arabian users in November 2025 using a fake Snapchat-themed website to deliver a JavaScript backdoor called GHOSTKNIFE. Separately, activity associated with the Turkish commercial surveillance vendor PARS Defense used DarkSword in the same month to deliver GHOSTSABER, another backdoor capable of device enumeration and data theft.
Google observed that UNC6353’s use of DarkSword in December 2025 only supported iOS versions 18.4 to 18.6, while campaigns by UNC6748 and PARS Defense also targeted devices running iOS 18.7. Security firm iVerify emphasized that these are the second set of waterhole attacks targeting iPhone users in a month, and neither campaign involved individual targeting. The combined attacks potentially affect hundreds of millions of unpatched devices running iOS versions 13 through 18.6.2.
The discovery of these powerful tools, attributed in part to operational security failures by the attackers, raises critical questions about the size and accessibility of the market for iOS zero-day and n-day exploits. It underscores how such potent capabilities are becoming available to a broader range of financially motivated actors, posing a significant and growing threat to mobile device security worldwide.
(Source: thehackernews.com)
