Researchers have uncovered a new iOS exploit kit, dubbed DarkSword, believed to be repurposed from tools originally developed for U.S. government purposes. This discovery, detailing the significant potential reach of such exploits, highlights concerning trends in the evolving cyber threat landscape, particularly for iPhone users.
The collaborative research from iVerify, Lookout, and Google, published Wednesday, builds on earlier findings about a similar exploit kit known as Coruna. While both exploit kits have targeted users in Ukraine, the scale of DarkSword is substantial. iVerify estimates up to 270 million iPhone users could be susceptible, and Lookout notes that approximately 15% of all currently used iOS devices are running iOS 18 or earlier versions, making them potentially vulnerable to such exploit kits.
The DarkSword Exploit Kit and Its Implications
DarkSword demonstrates a concerning evolution in cyberattack capabilities. Unlike the Coruna kit, which appeared to be primarily driven by financial motives, evidence suggests DarkSword could be employed for both financial gain and sophisticated surveillance. Additionally, there are indications that the kit might be used to inflict damage.
One striking aspect of the research is the utilization of large language models (LLMs) in the development and customization of these exploit kits. Lookout observed that an LLM was used to tailor both Coruna and DarkSword, effectively lowering the barrier to entry for deploying advanced mobile exploits, even for state-sponsored actors.
The reappearance of repurposed U.S. government exploits in a secondary market is a significant concern. iVerify and Lookout stated that the discovery of DarkSword reinforces earlier worries about the existence and growth of such markets, potentially leading to a false sense of security among iPhone users regarding device vulnerability.
Technical Details and Attribution
The DarkSword exploit kit possesses the capability to exfiltrate sensitive data, including saved passwords, cryptocurrency wallets, and text messages. Researchers indicated that attackers leverage Apple’s WebKit as an initial entry point, using WebGPU as a pivot for sandbox escapes, according to Justin Albrecht, Lookout’s global director for mobile threat intelligence.
While the link to Russia is established, the precise attribution of the DarkSword exploit kit remains somewhat opaque. Rocky Cole, iVerify’s co-founder and chief operating officer, noted that while DarkSword shares command and control infrastructure with Coruna, it is a distinctly different kit developed by separate individuals. Google has linked the DarkSword campaigns to a group it tracks as UNC6353, described as a Russian-backed espionage group, as well as UNC6748 and PARS Defense, a Turkish commercial surveillance vendor.
The motivations behind the attacks appear mixed, encompassing both espionage and financial objectives. Albrecht pointed out that Russian threat groups have previously targeted cryptocurrency in Ukraine, citing the Android exploit kit Infamous Chisel deployed by Sandworm. This suggests a potential strategy for well-funded groups to finance their operations through stolen funds, especially given long-standing sanctions against Russia impacting its budget.
The kit’s broad functionality is also suitable for surveillance and intelligence gathering, enabling what is termed “pattern of life” analysis. This “Swiss Army knife”-like capability could indicate a commercial spyware vendor developed the kit without a specific target audience in mind.
Despite the sophisticated nature of the exploits, the researchers suggest that the threat actors behind DarkSword might not be highly experienced. Albrecht noted a lack of code obfuscation and straightforward server-side naming conventions, which he believes would be atypical for seasoned Russian threat actors like APT29.
The presence of LLM-generated code is another notable finding. The server-side component of DarkSword exhibits characteristics of AI-generated code, including detailed comments, suggesting its use in streamlining the exploit development process.
iVerify, Lookout, and Google have all been in communication with Apple regarding these findings. Google has reported the vulnerabilities exploited by DarkSword to Apple, with the company confirming that all discovered vulnerabilities were patched with the release of iOS 26.3, though most were addressed in prior updates.
The ongoing investigation into the full scope and origins of DarkSword is expected to continue. The collaboration between security researchers and Apple is crucial for understanding the long-term implications of these repurposed exploits and for bolstering mobile device security against increasingly sophisticated threats. Further reports are anticipated as more details emerge regarding the actors involved and their motivations.