DarkSword - New Exploit Kit Targets iOS Devices

The Threat

DarkSword is a newly discovered exploit kit targeting Apple iOS devices. It has been in use since November 2025, with multiple threat actors leveraging it to steal sensitive data. Reports from the Google Threat Intelligence Group (GTIG) and others reveal that this exploit kit is designed to take advantage of six vulnerabilities and includes three zero-day exploits. It primarily targets iPhones running iOS versions between 18.4 and 18.7. The kit has been linked to various actors, including a suspected Russian espionage group named UNC6353.

The exploit chain is sophisticated, allowing attackers to gain complete access to a victim's device with minimal user interaction. DarkSword's design enables it to extract a wide range of personal information, particularly from cryptocurrency wallet applications, indicating a financially motivated threat actor. The kit operates using a 'hit-and-run' approach, quickly exfiltrating data and cleaning up traces after the operation.

Who's Behind It

Multiple threat actors are utilizing DarkSword, including state-sponsored groups and commercial surveillance vendors. The primary actor linked to this exploit kit is UNC6353, which has also been associated with previous attacks targeting Ukrainian users. Their tactics include using compromised websites to deliver the exploit, often through watering hole attacks. This method allows them to infect users visiting these sites without direct targeting.

Other actors, such as UNC6748 and PARS Defense, have also employed DarkSword to carry out attacks on users in Saudi Arabia and Turkey. These groups demonstrate the ongoing risk of exploit proliferation, where various actors can access advanced exploit kits for different purposes, including espionage and financial theft.

Tactics & Techniques

DarkSword employs a complex series of vulnerabilities to achieve its objectives. It exploits three zero-days: CVE-2026-20700, CVE-2025-43529, and CVE-2025-14174, among others. These vulnerabilities allow it to bypass security measures and execute code that can access sensitive information stored on the device. The exploit chain begins when a user visits a compromised webpage, triggering the malicious JavaScript that initiates the attack.

Once activated, DarkSword can escape the confines of the Safari browser's sandbox, gaining access to restricted parts of the iOS operating system. This includes the ability to read and write sensitive data, such as contacts, messages, and even cryptocurrency wallet information. The malware's design suggests a high level of sophistication, indicating that it was developed for long-term use and adaptability.

Defensive Measures

To protect against the DarkSword exploit kit, users should ensure their iOS devices are updated to the latest version. Apple regularly releases patches for known vulnerabilities, and keeping devices updated can mitigate the risk of exploitation. Users should also be cautious when visiting unfamiliar websites, especially those that may be compromised.

Additionally, employing security measures such as VPNs, firewalls, and antivirus software can help safeguard personal information. Awareness of phishing tactics and suspicious links is crucial in preventing such attacks. Ultimately, understanding the risks associated with mobile device security is essential in today’s digital landscape.