Security researchers from iVerify, Lookout, and Google’s Threat Intelligence Group have jointly disclosed a second sophisticated iOS exploit kit — dubbed DarkSword — actively used to steal passwords, cryptocurrency wallets, messages, photos, and more from iPhones. The kit has been deployed since at least November 2025 by multiple threat actors, including a suspected Russian espionage group, a Turkish commercial surveillance vendor, and a financially motivated hacking group.
What Is DarkSword?
DarkSword is a weaponised iOS exploit kit — a packaged set of tools that chains together multiple vulnerabilities to silently compromise iPhones through the Safari browser, with no user interaction beyond visiting a malicious website. Researchers at Lookout discovered it while investigating the infrastructure used for Coruna, a separate iOS exploit kit disclosed earlier this month that Apple patched with iOS 15.8.7 and 16.7.15.
DarkSword exploits six known CVEs: CVE-2025-31277, CVE-2025-43529, CVE-2026-20700, CVE-2025-14174, CVE-2025-43510, and CVE-2025-43520. The attack chain begins in Safari, where exploits obtain kernel read/write access, then execute code through a JavaScript orchestrator. From there, the kit injects itself into privileged iOS services — including App Access, Wi-Fi, Springboard, Keychain, and iCloud — before activating data-stealing modules.
What It Steals
Once installed, DarkSword exfiltrates a sweeping range of personal data:
- Saved passwords and Keychain data
- Cryptocurrency wallets — Coinbase, Binance, Ledger, and others
- WhatsApp and Telegram message databases
- Text messages (SMS), iMessage, email, and call history
- Photos, screenshots, and hidden image files
- Location and mobility history
- Browser history and cookies
- Wi-Fi history and passwords
- Apple Health data, Calendar, and Notes
- Signed-in accounts and connected services
Notably, DarkSword wipes its temporary files and exits after exfiltrating data — it was designed for fast, silent theft rather than long-term surveillance. Three separate malware families have been deployed through the kit: GHOSTBLADE (a JavaScript dataminer), GHOSTKNIFE (a backdoor), and GHOSTSABER (a JavaScript backdoor).
Who Is Behind It?
Three distinct threat actors have been observed using DarkSword:
- UNC6748 — used DarkSword in attacks targeting Saudi Arabian users via a website impersonating Snapchat
- PARS Defense — a Turkish commercial surveillance vendor that deployed DarkSword against users in Turkey and Malaysia, with notably better operational security than other actors
- UNC6353 — a suspected Russian espionage group that has been using DarkSword since December 2025 against Ukrainian targets via compromised websites, including Ukrainian government sites, continuing through March 2026
Google has attributed UNC6353 to a Russian-backed espionage operation. The group shares command-and-control infrastructure with the Coruna exploit kit but DarkSword is an entirely separate tool built by different people. Researchers note that despite the sophistication of the exploits themselves, the operational security of some actors using DarkSword is poor — JavaScript and HTML code was left unobfuscated, and a server-side component was literally labelled “Dark sword file receiver.”
The AI-Assisted Angle
One of the more striking findings: both Coruna and DarkSword show clear signs of having been developed with assistance from large language models. DarkSword’s server-side code includes detailed explanatory comments characteristic of AI-generated output. Researchers say this significantly lowers the barrier to entry for deploying advanced mobile exploits — even state-sponsored actors are now using AI coding assistants to build sophisticated attack tools. Lookout describes the kit as “a professionally designed platform enabling rapid development of modules” with clear attention to long-term maintainability.
Scale of the Threat
iVerify estimates up to 270 million iPhone users could be susceptible. Lookout told CyberScoop that roughly 15% of all iOS devices currently in use are running iOS 18 or earlier — the versions vulnerable to DarkSword. All six CVEs exploited by DarkSword have been patched by Apple, most of them prior to iOS 26.3, with the final fixes included in iOS 26.3. All three research teams have been in contact with Apple throughout the disclosure process.
What You Should Do Right Now
- Update immediately — Install iOS 26.3.1, the latest release, which patches all vulnerabilities exploited by DarkSword. Go to Settings → General → Software Update
- Enable Lockdown Mode if you are at elevated risk — journalists, activists, government employees, or anyone who may be a surveillance target. Settings → Privacy & Security → Lockdown Mode
- Older devices — Apple patched the Coruna vulnerabilities for older devices (iOS 15.8.7, 16.7.15) but has not confirmed whether DarkSword fixes will be backported. Check Settings → General → Software Update for any available patches
- Be cautious of unknown websites — DarkSword is delivered via watering hole attacks on compromised websites. You don’t need to click anything beyond visiting a page
