A novel exploit kit dubbed DarkSword is being used to compromise Apple iPhones and steal sensitive user data.
The threat targets devices running iOS versions 18.4 through 18.7 and has been linked to multiple threat actors, including the suspected Russian group UNC6353 previously linked to the Coruna exploit chain.
The exploit kit was discovered by researchers at Lookout, Google’s Threat Intelligence Group (GTIG) and iVerify, who released separate reports on the issue.
According to researchers, DarkSword leverages six known vulnerabilities (CVE-2025-31277, CVE-2025-43529, CVE-2026-20700, CVE-2025-14174, CVE-2025-43510, and CVE-2025-43520) to gain deep access to compromised devices.
Researchers say the exploit kit has been active since at least November 2025 and has been used to deploy multiple malware strains, including the GHOSTBLADE data-harvesting tool; the GHOSTKNIFE backdoor; and the GHOSTSABER JavaScript-based implant.
Early attacks were attributed to UNC6748, which targeted users in Saudi Arabia via a fake Snapchat website. Later campaigns were observed in Turkey and Malaysia, some linked to customers of Turkish surveillance vendor PARS Defense.
By December 2025, UNC6353 began deploying DarkSword against Ukrainian targets, continuing through March 2026 in so-called “watering hole” attacks, where compromised websites silently infect visitors. The attacks primarily used the Safari browser as an entry point, chaining multiple exploits to gain full control of the device.
Once inside, DarkSword injects malicious code into core iOS services, including Keychain and iCloud, allowing attackers to extract passwords, SMS messages, browsing data, and cryptocurrency wallet information (including Coinbase, Binance, and Ledger). After exfiltrating the data, the malware deletes traces of its activity
Researchers also noted signs that the exploit kit’s codebase may have been partially developed using large language models. This theory is based on unusually detailed inline comments explaining functionality.
Users are strongly advised to update their devices to the latest version, which currently is iOS 26.3.1, and enable Lockdown Mode if they believe they may be at higher risk of targeted attacks.