CP
cyberpings
Malware & RansomwareHIGH

Malware - State-Sponsored Spyware Targeting iPhones Exposed

REThe Register Security
DarkSwordCVE-2025-31277CVE-2025-43529CVE-2026-20700UNC6353
🎯

Basically, hackers are using a new tool to steal personal data from iPhones.

Quick Summary

A new exploit kit named DarkSword is targeting iPhones, stealing sensitive data from users. Multiple spyware vendors, including state actors, are involved. This raises significant privacy concerns for millions of iPhone owners.

What Happened

A new exploit kit named DarkSword has emerged, targeting iPhone users and stealing sensitive information. Security researchers from Google, iVerify, and Lookout revealed that this malware has been in use since at least November 2025. It exploits six vulnerabilities in iOS versions 18.4 through 18.7 to deploy multiple backdoors. These backdoors can extract personal data such as messages, recordings, and location history.

This is not an isolated incident; it's the second exploit kit discovered in a month. The first, Coruna, was also linked to various criminal groups. The use of DarkSword highlights a troubling trend where both state-sponsored actors and commercial spyware vendors are targeting iPhone users for espionage and financial theft.

How It Works

The DarkSword exploit chain is initiated when a user visits a malicious website. Attackers exploit vulnerabilities like CVE-2025-31277 or CVE-2025-43529 to gain remote code execution. Once inside, they bypass security measures to achieve arbitrary code execution. This allows them to manipulate the iPhone's processes and ultimately extract sensitive data.

The exploit utilizes multiple vulnerabilities, including CVE-2026-20700, which helps attackers escape the sandbox environment. The final stage involves privilege escalation through CVE-2025-43520, allowing the injection of malicious scripts into system processes. This sophisticated method makes it difficult for users to detect the malware.

Who's Using DarkSword to Spy on iPhone Users?

Multiple groups are reportedly using DarkSword for their operations. One such group, identified as UNC6748, has targeted users in Saudi Arabia using a Snapchat-themed website. Their attacks deployed a JavaScript backdoor named GhostKnife, which steals various types of data, including messages and location.

Another group, UNC6353, has been observed using DarkSword in campaigns against Ukrainian users. They deploy a backdoor called GhostBlade, which collects extensive data from compromised devices. These activities underline the growing threat posed by both state actors and commercial surveillance vendors in the digital landscape.

What You Should Do

To protect yourself from these threats, ensure that your iPhone is updated to the latest iOS version. Apple has patched the vulnerabilities exploited by DarkSword, so regular updates are crucial. Be cautious of suspicious links and websites, as these are often the entry points for such malware.

Additionally, consider using security tools that can help detect and block malicious activities. Awareness of these threats is the first step in safeguarding your personal data against sophisticated spyware campaigns.

🔒 Pro insight: The use of exploit kits like DarkSword highlights the need for continuous monitoring and rapid patching to combat evolving threats.

Original article from

The Register Security

Read Full Article

Share

Related Pings

HIGHMalware & Ransomware

Malware - SnappyClient Targets Crypto Wallets with Spying

A new malware named SnappyClient is on the rise, targeting crypto wallets. It enables remote access and data theft, posing serious risks to users. Protect your digital assets!

Dark Reading·
HIGHMalware & Ransomware

Malware - Russia-linked Hackers Target Ukrainians via iPhone

A new malware called DarkSword is targeting Ukrainian iPhone users, allowing hackers to steal sensitive data quickly. This sophisticated tool raises significant security concerns for affected individuals. Users should stay alert and ensure their devices are secure.

The Record·
HIGHMalware & Ransomware

Malware - SILENTCONNECT Delivers ScreenConnect Tool

A new malware named SILENTCONNECT stealthily installs the ScreenConnect RMM tool on victims' machines. It primarily targets users through phishing emails, raising significant security concerns. Organizations must stay vigilant against such threats to protect their systems.

Elastic Security Labs·
CRITICALMalware & Ransomware

Ransomware - Interlock Exploits Cisco Zero-Day Flaw

A serious flaw in Cisco's Secure Firewall Management Center has been exploited by the Interlock ransomware gang for over a month. Organizations must patch their systems to avoid potential breaches and data loss. Swift action is crucial to safeguard against these evolving threats.

BleepingComputer·
CRITICALMalware & Ransomware

Interlock Ransomware - Exploiting Cisco FMC Zero-Day Flaw

A new ransomware campaign is exploiting a critical flaw in Cisco's software. Organizations using Cisco FMC are at risk of severe breaches. Immediate patching and security assessments are crucial to protect against this threat.

The Hacker News·
HIGHMalware & Ransomware

Ransomware - Marquis Reports Data Theft of 672K Individuals

Marquis, a Texas financial services firm, suffered a ransomware attack affecting over 670,000 individuals. The breach compromised sensitive personal data, raising serious security concerns. Affected individuals should monitor their accounts closely and take protective measures.

BleepingComputer·