‘DarkSword’ iOS Exploit Kit Used by State-Sponsored Hackers, Spyware Vendors

Security researchers have discovered another sophisticated iOS exploit kit and found evidence that it has been used by both state-sponsored hackers and commercial spyware vendors.  A Russian state-sponsored espionage group tracked as UNC6353 has been using the iOS exploit kit in attacks against Ukraine. In early March, Google and iVerify shared details on Coruna, a powerful exploit kit targeting 23 vulnerabilities in iOS 13 through 17.2.1, including nearly a dozen zero-days. Flagged as the first mass-exploitation kit targeting iOS devices, Coruna was used by UNC6353 in watering hole attacks against Ukraine and later leveraged by financially motivated groups due to its cryptocurrency-theft capabilities. On Wednesday, iVerify, Google, and Lookout shared details on a second mass-exploitation iOS kit used by UNC6353. Named DarkSword, it targets six vulnerabilities in Apple’s mobile platform and leads to full device compromise with minimal user interaction. DarkSword shares infrastructure with Coruna and was used in watering hole attacks against Ukraine, suggesting that they are part of the same threat actor’s arsenal. Google has also found evidence that DarkSword has been used by commercial surveillance vendors, including one tracked as UNC6748, in attacks targeting Saudi Arabia, Turkey, and Malaysia. Written completely in JavaScript, DarkSword starts with the exploitation of Safari bugs to achieve remote code execution (RCE), continues with a sandbox escape, and shifts to exploiting kernel flaws to inject and execute JavaScript code for privilege escalation and final payload execution. The observed attacks were mounted through malicious iframes injected in the websites of the independent news agency News of Donbas and the official website for the Seventh Administrative Court of Appeals in Vinnytsia. The full exploit chain The targeted vulnerabilities include CVE-2025-31277, CVE-2025-43529, CVE-2025-14174, CVE-2025-43510, CVE-2025-43520, and CVE-2026-20700. CVE-2025-31277 and CVE-2025-43529 are two WebContent process JIT issues leading to arbitrary memory read/write primitives that DarkSword exploits during the initial phase of the attack. It then proceeds to target CVE-2026-20700 for Trusted Path Read-Only (TPRO) and Pointer Authentication Codes (PAC) protections bypass and arbitrary code execution. The flaw was patched in February as a zero-day. Next, the exploit chain targets CVE-2025-14174, an out-of-bounds write vulnerability in ANGLE, combined with the PAC bypass, to escape Safari’s sandbox via the GPU process. CVE-2025-43529 and CVE-2025-14174 were patched in December. From the GPU process, the exploit targets the XNU kernel via CVE-2025-43510, a copy-on-write bug that provides arbitrary memory read/write primitives in the mediaplaybackd daemon, which are then leveraged to exploit CVE-2025-43520 for kernel privilege escalation. Extensive information theft capabilities The final payload, Lookout explains, is an orchestrator for numerous modules that enable the attackers to exfiltrate sensitive information from the infected devices. It targets passwords, photos, WhatsApp and Telegram messages, text messages, contacts, call history, browser data (cookies, history, and passwords), installed applications, Wi-Fi data and passwords, Apple Health data, calendar and notes, information on the connected accounts, and cryptocurrency wallets. “This malware is highly sophisticated and appears to be a professionally designed platform enabling rapid development of modules through access to a high-level programming language. This extra step shows a significant effort put into the development of this malware with thoughts about maintainability, long-term development, and extensibility,” Lookout notes. The cybersecurity firm also notes that DarkSword’s crypto-targeting capabilities suggest that UNC6353 might have expanded its capabilities into financial theft, or that it was a financially motivated threat actor all along. The Coruna exploit used by UNC6353 did not target cryptocurrency wallets. Millions of iPhones potentially impacted Apple has rolled out patches for all the vulnerabilities targeted by both Coruna and DarkSword, but hundreds of millions of devices may still be exposed to attacks, the security researchers warn. “We estimate that the DarkSword exploit chain still impacts a significant portion of iPhone users. Specifically, 14.2% of users (approximately 221,520,000 devices) running iOS versions between 18.4 and 18.6.2 are believed to be vulnerable,” iVerify says. The cybersecurity firm notes that the number of affected devices might be much higher if the targeted vulnerabilities can be exploited against iOS versions below 18.4 and above 26.x. “Based on the assumption that all iOS 18 versions are susceptible to the majority of the vulnerabilities in this chain, approximately 18.99% of users (296,244,000) may be affected,” iVerify explains. Users are advised to update to iOS versions 26.3.1 and 18.7.6, which are the latest platform iterations to include patches for all vulnerabilities in the DarkSword exploit kit. Attacks in Saudi Arabia, Turkey, and Malaysia Over the past five months, Google identified three payloads dropped in successful DarkSword attacks, namely GhostBlade, GhostKnife, and GhostSaber. In November 2025, the internet giant says, DarkSword was used by UNC6748 to target Saudi Arabian users in a watering hole attack employing a Snapchat-themed website. The malware used, Ghostknife, is a JavaScript backdoor that packs extensive information theft capabilities. In late November, commercial surveillance vendor PARS Defense employed DarkSword in attacks against users in Turkey, and in January 2025 used it in attacks against Malaysian users. The payload in these attacks was GhostSaber, a JavaScript backdoor capable of file exfiltration, device and account enumeration, data theft, and arbitrary JavaScript code execution. The UNC6353 attacks employing DarkSword against Ukraine started in December 2025, delivering the GhostBlade malware, which packs information-stealer functionality but lacks backdoor capabilities, in line with iVerify’s and Lookout’s findings. “There are notable similarities and differences between the exploit delivery implementations used by UNC6748, PARS Defense, and UNC6353. We assess that each of the actors built their delivery mechanisms on a base set of logic from the DarkSword developers, and made tweaks to fit their own needs,” Google explains. Google also notes that, while the DarkSword exploit used by UNC6353 only targeted devices running iOS versions 18.4-18.6, the variant employed by UNC6748 and PARS Defense also targeted iOS version 18.7. “Watering-hole attacks abusing compromised legitimate websites are essentially zero-click attacks in that the intended victim might already be frequenting the malicious site anyway. Even if a user needs to be lured to the site, social engineering defensive training is not effective since the infection URL is legitimate,” Lookout notes. *Updated with additional information from Google. Related: Apple Updates Legacy iOS Versions to Patch Coruna Exploits Related: CISA Adds iOS Flaws From Coruna Exploit Kit to KEV List Related: US Sanctions Russian Exploit Broker Operation Zero Related: Russia’s APT28 Rapidly Weaponizes Newly Patched Office Vulnerability WRITTEN BY Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Tech Giants Invest $12.5 Million in Open Source Security Robotic Surgery Giant Intuitive Discloses Cyberattack 174 Vulnerabilities Targeted by RondoDox Botnet Tracebit Raises $20M for Cloud-Native Deception Technology CISA Flags Year-Old Wing FTP Vulnerability as Exploited Security Firm Executive Targeted in Sophisticated Phishing Attack China-Linked Hackers Hit Asian Militaries in Patient Espionage Operation Threat Actor Targeting VPN Users in New Credential Theft Campaign Latest News Cloud Security Startup Native Exits Stealth With $42 Million in Funding Virtual Summit Today: Supply Chain & Third-Party Risk Summit EU Sanctions Chinese, Iranian Firms Supporting Hacking Operations Shadow AI Risk: How SaaS Apps Are Quietly Enabling Massive Breaches Manifold Raises $8 Million for AI Detection and Response Iranian Hackers Likely Used Malware-Stolen Credentials in Stryker Breach Apple Debuts Background Security Improvements With Fresh WebKit Patches Researcher Discovers 4th WhatsApp View Once Bypass; Meta Won’t Patch Trending Webinar: Securing Fragile OT In An Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Virtual Event: Supply Chain Security And Third-Party Risk Summit March 18, 2026 Join the event where top security experts unpack the biggest software supply chain risks. Register People on the Move Nudge Security has appointed Patrick Dillon as Chief Revenue Officer. Arctic Wolf has named Will May as its Chief Revenue Officer. Palo Alto Networks has named Danielle Gonzalez as its new Chief People Officer. More People On The Move Expert Insights The Human IOC: Why Security Professionals Struggle With Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How To 10x Your Vulnerability Management Program In The Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) SIM Swaps Expose A Critical Flaw In Identity Security SIM swap attacks exploit misplaced trust in phone numbers and human processes to bypass authentication controls and seize high-value accounts. (Torsten George) Four Risks Boards Cannot Treat As Background Noise The goal isn’t about preventing every attack but about keeping the business running when attacks succeed. (Steve Durbin) How To Eliminate The Technical Debt Of Insecure AI-Assisted Software Development Developers must view AI as a collaborator to be closely monitored, rather than an autonomous entity to be unleashed. Without such a mindset, crippling tech debt is inevitable. (Matias Madou) Flipboard Reddit Whatsapp Email