New DarkSword iOS exploit utilized in infostealer assault on iPhones

A brand new exploit equipment for iOS gadgets and supply framework dubbed “DarkSword” has been used to steal a variety of private info, together with knowledge from cryptocurrency pockets apps.

DarkSword targets iPhones working iOS 18.4 by way of 18.7 and is linked to a number of actors, together with UNC6353, suspected to be Russian, who used the Coruna exploit chain disclosed earlier this month.

Researchers at cellular safety firm Lookout found DarkSword whereas investigating the infrastructure used for the Coruna assaults. Google’s Menace Intelligence Group and iVerify additionally collaborated for a extra complete evaluation of this beforehand unknown risk and the adversaries leveraging it.

iVerify’s findings point out that every one flaws (sandbox escape, privilege escalation, distant code execution) exploited on this exploit chain are identified or documented, and Apple has already addressed them within the newest iOS releases.

The DarkSword exploit equipment makes use of six vulnerabilities tracked as CVE-2025-31277, CVE-2025-43529, CVE-2026-20700, CVE-2025-14174, CVE-2025-43510, and CVE-2025-43520.

DarkSword assaults

In a report in the present day, Google Menace Intelligence Group (GTIG) says that DarkSword has been used since not less than November 2025 by a number of risk actors, who deployed three separate malware households:

• GHOSTBLADE, a dataminer in JavaScript that steals a swath of knowledge, together with crypto pockets knowledge, system and connectivity information, browser historical past, images, location and mobility, communication knowledge from iMessage, Telegram, WhatsApp, e mail, calls, and contacts
• GHOSTKNIFE, a backdoor that may exfiltrate varied sorts of knowledge (signed-in accounts, messages, browser knowledge, location historical past, recordings)
• GHOSTSABER, a JavaScript backdoor that may enumerate gadgets and accounts, record recordsdata, execute JavaScript code, and steal knowledge

The primary adversary noticed utilizing the exploit chain is UNC6748, in assaults concentrating on Saudi Arabian customers by way of a web site impersonating Snapchat.

GTIG says that in late November 2025, DarkSword was utilized in Turkey, in exercise related to PARS Protection, a Turkish business surveillance vendor, on gadgets working  iOS 18.4-18.7.

“Unlike the UNC6748 activity, this campaign was carried out with more attention to OPSEC, with obfuscation applied to the exploit loader and some of the exploit stages, and the use of ECDH and AES to encrypt exploits between the server and the victim,” GTIG notes.

Earlier this 12 months, Google researchers seen DarkSword being utilized in Malaysia by one other PARS Protection buyer delivering the GHOSTSABER backdoor.

UNC6353, a suspected Russian espionage actor, has been utilizing the Coruna exploit equipment since final summer season, and in December 2025 began leveraging DarkSword exploits in opposition to Ukrainian targets.

The exercise continued by way of March 2026 in watering gap assaults with compromised web sites that deploy the GHOSTBLADE malware to exfitrate knowledge from compromised targets.

An remark from Google researchers is that though “earlier DarkSword use attributed to UNC6748 and PARS Defense also supported iOS 18.7, we did not observe that from UNC6353, despite their later operational timeline.”

In line with Lookout researchers, each Coruna and DarkSword exhibit indicators of codebase enlargement utilizing giant language mannequin (LLM) help. That is notably seen within the case of DarkSword, which has a number of feedback that specify the code performance.

“This malware is highly sophisticated and appears to be a professionally designed platform enabling rapid development of modules through access to a high level programming language,” Lookout says.

“This extra step shows a significant effort put into the development of this malware with thoughts about maintainability, long-term development and extensibility.”

DarkSword supply chain

Aside from the 1-click DarkSword exploit equipment, iVerify additionally discovered a Safari exploit with “sandbox escape, privilege escalation, and in-memory implants” that stole delicate knowledge from gadgets.

DarkSword assaults start within the Safari browser, the place a number of exploits are used to acquire kernel learn/write entry, after which execute code by way of a fundamental orchestrator element (pe_main.js).

It’s unknown how the web sites that launched these assaults had been compromised within the first place, however the risk actors had ample rights to contaminate malicious iframes within the HTML code of those websites.

The orchestrator injects a JavaScript engine into privileged iOS companies corresponding to App Entry, Wi-Fi, Springboard, Keychain, and iCloud, after which prompts data-stealing modules (e.g., GHOSTBLADE) that gather the next info:

• Saved passwords
• Photographs, together with screenshots and hidden picture recordsdata
• WhatsApp and Telegram databases
• Cryptocurrency wallets (Coinbase, Binance, Ledger, and others)
• Textual content messages (SMS)
• Tackle guide
• Name historical past
• Location historical past
• Browser historical past
• Cookies
• Wi-Fi historical past and passwords
• Apple Well being knowledge
• Calendar
• Notes
• Put in functions
• Linked accounts

Notably, DarkSword wipes short-term recordsdata and exits when the above is exfiltrated to the risk actors, indicating that it was not designed for long-term surveillance operations.

Lookout estimates that DarkSword is utilized by a Russian risk actor with monetary goals, whereas additionally conducting espionage aligned with Russian intelligence necessities.

iPhone customers are beneficial to improve to iOS 26.3.1 (newest), launched earlier this month, and allow Lockdown Mode if at excessive threat of being focused by malware.

For these utilizing older gadgets that don’t qualify for an replace to the newest iOS model, Apple might backport fixes because it did with the Coruna exploits, however this hasn’t been confirmed but.

Replace [March 18, 11:39]: Article up to date with info from the Google Menace Intelligence Group in regards to the DarkSide exploit equipment, obtainable to BleepingComputer after publishing time.