A sophisticated new exploit kit, codenamed DarkSword, is actively targeting Apple iOS devices, enabling threat actors to steal sensitive data. Discovered by Google Threat Intelligence Group (GTIG), iVerify, and Lookout, DarkSword has been in use since at least November 2025, exploiting vulnerabilities to compromise iPhones. Its emergence highlights the growing market for potent exploit chains and poses a significant risk to users worldwide.
Multiple threat actors, including commercial surveillance vendors and suspected state-sponsored groups, have deployed DarkSword. Reports indicate distinct campaigns targeting users in Saudi Arabia, Turkey, Malaysia, and Ukraine. This discovery follows closely on the heels of another iOS exploit kit, Coruna, also recently identified, underscoring a troubling trend of advanced exploit proliferation.
DarkSword Exploit Kit Targets iOS Devices
The DarkSword exploit kit is designed to target iPhones running specific versions of iOS, reportedly versions between iOS 18.4 and 18.7. According to GTIG, a suspected Russian espionage group known as UNC6353 has utilized DarkSword in attacks aimed at Ukrainian users. This same group has also been linked to the use of the Coruna exploit kit against Ukrainian targets through the injection of malicious JavaScript into compromised websites.
“DarkSword aims to extract an extensive set of personal information, including credentials from the device and specifically targets a plethora of crypto wallet apps, hinting at a financially motivated threat actor,” stated Lookout. The researchers noted that DarkSword appears to employ a “hit-and-run” approach, collecting and exfiltrating targeted data rapidly, often within seconds or minutes, before cleaning up traces of its presence.
Unlike previous exploits that might require user interaction, chains like DarkSword and Coruna are engineered for direct access to a victim’s device. This indicates a secondary market for exploits, allowing groups with fewer resources or different objectives than traditional cyber espionage to acquire and utilize high-end tools for mobile device infections.
“The use of both DarkSword and Coruna by a variety of actors demonstrates the ongoing risk of exploit proliferation across actors of varying geography and motivation,” GTIG reported. The accessibility of such sophisticated tools raises concerns about their potential misuse by a diverse range of malicious entities.
DarkSword’s Technical Capabilities and Exploited Vulnerabilities
The DarkSword exploit chain leverages a series of six different vulnerabilities to deploy three distinct payloads. Notably, three of these vulnerabilities were exploited as zero-days before Apple could patch them: CVE-2026-20700, CVE-2025-43529, and CVE-2025-14174.
- CVE-2025-31277: Memory corruption vulnerability in JavaScriptCore (Patched in version 18.6)
- CVE-2026-20700: User-mode Pointer Authentication Code (PAC) bypass in dyld (Patched in version 26.3)
- CVE-2025-43529: Memory corruption vulnerability in JavaScriptCore (Patched in versions 18.7.3 and 26.2)
- CVE-2025-14174: Memory corruption vulnerability in ANGLE (Patched in versions 18.7.3 and 26.2)
- CVE-2025-43510: Memory management vulnerability in the iOS kernel (Patched in versions 18.7.2 and 26.1)
- CVE-2025-43520: Memory corruption vulnerability in the iOS kernel (Patched in versions 18.7.2 and 26.1)
Lookout’s analysis traced DarkSword back to malicious infrastructure associated with UNC6353. They identified a compromised domain hosting a malicious iFrame element. This element loads JavaScript designed to fingerprint visiting devices, determining if a target requires redirection to the DarkSword exploit chain. The precise method used to infect these websites remains undetermined.
A key differentiator for DarkSword is its specific targeting of iOS versions between 18.4 and 18.6.2, a narrower window compared to Coruna’s broader targeting of older iOS versions. DarkSword is described as a complete exploit chain and infostealer written in JavaScript, employing multiple vulnerabilities for privileged code execution and data exfiltration.
The attack chain typically begins when a user visits a compromised website via Safari. DarkSword then breaks out of the WebContent sandbox and utilizes WebGPU to inject itself into mediaplaybackd, a system daemon responsible for media playback functions. This enables the GHOSTBLADE malware to gain access to privileged processes and sensitive file system areas.
Following successful privilege escalation, an orchestrator module loads additional components to collect sensitive data. An exfiltration payload is then injected into Springboard to transmit the gathered information to an external server. The types of data targeted include emails, iCloud Drive files, contacts, SMS messages, browsing history, cryptocurrency wallet and exchange data, credentials, photos, call logs, Wi-Fi configurations and passwords, location history, calendar information, cellular and SIM details, installed application lists, and data from Apple apps like Notes and Health, as well as message histories from apps like Telegram and WhatsApp.
iVerify’s analysis indicates that DarkSword weaponizes JavaScriptCore JIT vulnerabilities for remote code execution and sandbox escape. The chain ultimately uses a kernel privilege escalation flaw to achieve arbitrary read/write capabilities within mediaplaybackd, allowing the execution of injected JavaScript code.
“This malware is highly sophisticated and appears to be a professionally designed platform enabling rapid development of modules through access to a high-level programming language,” Lookout stated. The development effort suggests a focus on maintainability and long-term extensibility.
Further analysis of DarkSword’s JavaScript files revealed references to older iOS versions, suggesting the kit was ported from earlier iterations. Unlike persistent spyware, DarkSword focuses on rapid data exfiltration, minimizing its dwell time on a device to quickly steal identified data and then self-destruct.
Threat Actors and Market Implications
Very little is publicly known about UNC6353 beyond its use of both Coruna and DarkSword via watering hole attacks on compromised Ukrainian websites. This suggests the group is well-funded to acquire high-quality iOS exploit chains, likely developed for commercial surveillance purposes. It is assessed that UNC6353 may be a less technically sophisticated actor operating in alignment with Russian intelligence interests.
“Given that both Coruna and DarkSword have capabilities for cryptocurrency theft and intelligence gathering, we must consider the possibility that UNC6353 is a Russia-backed privateer group or criminal proxy threat actor,” Lookout commented. The lack of obfuscation in DarkSword’s code and deployment artifacts suggests either limited engineering resources or a disregard for operational security measures by UNC6353.
The use of DarkSword has also been linked to two other threat actors:
- UNC6748: This group targeted Saudi Arabian users in November 2025 using a Snapchat-themed website, snapshare[.]chat, to deliver GHOSTKNIFE, a JavaScript backdoor for information theft.
- PARS Defense: This Turkish commercial surveillance vendor used DarkSword in November 2025 to deploy GHOSTSABER, a JavaScript backdoor facilitating device and account enumeration, file listing, data exfiltration, and arbitrary code execution.
Google reported that UNC6353’s observed use of DarkSword in December 2025 supported iOS versions from 18.4 to 18.6, while the attacks attributed to UNC6748 and PARS Defense also targeted iOS devices running version 18.7. This indicates a slight variation in the exploit chain’s capabilities or targeting windows for different actors.
“For the second time in a month, threat actors have employed waterhole attacks to target iPhone users,” iVerify stated. The combined impact of these attacks could affect hundreds of millions of unpatched devices running iOS versions from 13 through 18.6.2. The discovery of these tools due to operational security failures raises critical questions about the size and sophistication of the market for iOS zero-day and n-day exploits, and the accessibility of such powerful capabilities to financially motivated threat actors.
The continued discovery of sophisticated exploit kits like DarkSword underscores the ongoing need for users to keep their devices updated to the latest security patches. The market for these exploits appears robust, suggesting that users will remain a target for advanced threats for the foreseeable future. Future developments will likely revolve around Apple’s patching cadence and the pace at which new vulnerabilities are identified and weaponized.