A new iOS exploit kit called DarkSword has been active since late 2025, used by various state-sponsored and commercial actors to steal data from iPhones. The kit targets devices running older versions of iOS 18 to exfiltrate credentials and cryptocurrency information through a sophisticated chain of six vulnerabilities.
A sophisticated mobile exploit kit known as DarkSword has been targeting Apple iOS devices since November 2025, according to findings from major cybersecurity research groups. This full-chain kit has been deployed by several different entities, including commercial surveillance vendors and state-sponsored groups. Notable campaigns have been identified in Saudi Arabia, Turkey, Malaysia, and Ukraine, where the kit is used to gain deep access to victim hardware with minimal user interaction.
The discovery follows closely on the heels of another kit named Coruna, marking an increase in the availability of high-end mobile exploits. DarkSword specifically targets iPhones running versions between iOS 18.4 and 18.7. One specific threat group, a Russian-linked entity known as UNC6353, has been observed using both DarkSword and Coruna in operations against Ukrainian targets by compromising websites to deliver the malicious payloads.
Unlike some long-term surveillance tools, DarkSword operates with a hit-and-run strategy designed for speed and evasion. Once a device is compromised, the kit extracts a wide range of personal information and specifically hunts for cryptocurrency wallet data before cleaning up its tracks within minutes. Researchers suggest this focus on digital currency indicates that some actors using the kit may be motivated by financial gain rather than traditional political espionage.
The technical architecture of the exploit involves a sequence of six distinct vulnerabilities, three of which were exploited as zero-days before Apple could issue patches. These flaws exist within various components of the operating system, including the JavaScriptCore engine and the iOS kernel. By chaining these vulnerabilities together, attackers can bypass security features like Pointer Authentication Code and achieve full kernel-level access to the device.
Security analysts identified the kit by monitoring malicious infrastructure that utilized hidden iFrames on compromised websites. These elements run a script to fingerprint a visitor’s device and determine if it is a vulnerable iPhone before initiating the exploit chain. The proliferation of such advanced tools among various groups highlights a growing secondary market where even smaller threat actors can acquire top-tier exploits to compromise mobile security.
Source: https://cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain