New iOS Exploit Kit ‘DarkSword’ Uncovered by Researchers

A newly identified and highly sophisticated iPhone hacking toolkit, known as DarkSword, has been actively compromising devices since late 2025. Security researchers from Google and Lookout have detailed this threat, which leverages a chain of six previously unknown iOS vulnerabilities to achieve remote code execution and deploy malicious payloads. This discovery follows the recent exposure of another powerful exploit kit called Coruna, highlighting a concerning trend of advanced commercial surveillance tools targeting mobile platforms.

The DarkSword exploit chain systematically compromises an iPhone by starting within the Safari browser. It uses three vulnerabilities in the WebKit engine, two within the iOS kernel, and one in a component called the Dynamic Link Editor (dyld). This multi-stage process allows attackers to break out of security sandboxes, gain kernel-level access, and ultimately steal sensitive data. Apple has since patched all these flaws in subsequent iOS updates, but devices running older software remain at significant risk.

Apple addressed the specific vulnerabilities in a series of updates throughout 2025 and early 2026. The patches were released for CVE-2025-31277, CVE-2025-43510, CVE-2025-43520, CVE-2025-43529, CVE-2025-14174, and CVE-2026-20700. It is critical to note that several of these fixes were issued only after reports of active, targeted exploitation in the wild, underscoring the urgency of applying software updates.

Analysis reveals that DarkSword has been deployed by multiple threat actors in various espionage and surveillance campaigns. These include the suspected Russian state-sponsored group UNC6353—which also used the Coruna kit—and customers of a Turkish commercial surveillance vendor named PARS Defense. Another group, tracked as UNC6748, used DarkSword to target individuals in Saudi Arabia through a deceptive Snapchat-themed website.

The malware operates by first fingerprinting a visiting device to determine if it is a suitable target. If the conditions are met, the exploit chain executes. After establishing a foothold, a central script coordinates smaller components that harvest a vast array of data. This includes passwords, encryption keys, files, photos, calendar entries, notes, and even information from cryptocurrency wallets. The stolen data is temporarily stored on the device before being transmitted to servers controlled by the attackers.

Researchers emphasize that both Coruna and DarkSword represent a severe threat to user privacy and security. These toolkits are not limited to state-aligned espionage; they also possess functionality to steal cryptocurrency, blurring the lines between cyber-espionage and financially motivated crime. The concern is that these advanced capabilities could eventually proliferate to a broader range of cybercriminals, putting a much larger population of iPhone users in jeopardy.

For protection, security experts unanimously recommend immediately updating iPhones to the latest available iOS version. Specifically, updating to iOS 18.7.6 or iOS 26.3.1 will protect against all vulnerabilities exploited in these attack chains. For users who cannot update their devices, enabling Apple’s Lockdown Mode provides an additional layer of security by strictly limiting potentially risky functionalities. With hundreds of millions of devices potentially vulnerable, applying these updates is the most effective defensive action users can take.