Malware - New Darksword iOS Exploit Targets Personal Data

What Happened

A sophisticated new exploit kit called Darksword has emerged, specifically targeting iPhones running iOS versions 18.4 through 18.6.2. This malware is linked to a threat actor known as UNC6353, likely based in Russia, who previously used the Coruna exploit chain. Researchers from Lookout Threat Labs discovered Darksword while investigating the infrastructure behind Coruna attacks. They found that Darksword uses multiple known vulnerabilities to gain unauthorized access to personal data.

The exploit kit employs a 1-click delivery method that begins in the Safari browser. Once a user visits a compromised website, Darksword executes a series of exploits to obtain kernel read/write access. This allows the malware to inject malicious code into privileged iOS services, enabling it to steal sensitive information.

Who's Being Targeted

Darksword primarily targets iPhone users, particularly those who have not updated their devices to the latest iOS version. The malware is designed to steal a wide range of personal information, including:

• Saved passwords
• Photos (including hidden images)
• Cryptocurrency wallet data (from apps like Coinbase and Binance)
• Text messages and call history
• Location history

The threat actors behind Darksword are well-funded and have access to various exploits, making them a significant threat to users who may not be aware of the risks.

Signs of Infection

Users may not notice any immediate signs of infection, but there are some indicators to watch for. If your device behaves unusually, such as experiencing slow performance or unexpected app crashes, it could be a sign of malware activity. Additionally, if you notice unauthorized transactions in your cryptocurrency accounts or changes to your saved passwords, it’s crucial to investigate further.

Darksword is designed to wipe temporary files after exfiltrating data, making it harder for users to detect its presence. This stealthy approach is typical of sophisticated malware, which aims to remain undetected while it operates.

How to Protect Yourself

To protect against Darksword, users are strongly advised to upgrade to the latest iOS version, iOS 26.3.1, which includes critical security patches. Enabling Lockdown Mode can also provide an additional layer of security for those at high risk of being targeted.

For users with older devices that cannot be updated, it is recommended to monitor accounts closely and change passwords regularly. Additionally, consider using two-factor authentication for sensitive accounts, especially those related to cryptocurrency. Staying informed about the latest threats and maintaining good security hygiene can significantly reduce the risk of falling victim to malware like Darksword.