DarkSword Exploit Hits iPhones, Stealing Crypto Wallets and Sensitive Data at Scale
scsecMarch 19, 20262 Mins read 
A newly discovered iOS exploit framework called DarkSword is being actively used in sophisticated infostealer attacks targeting iPhones. The threat is capable of extracting a wide range of sensitive user data, including information from cryptocurrency wallet applications.
Security researchers from Lookout uncovered DarkSword while analyzing infrastructure tied to earlier Coruna exploit activity. The investigation was supported by Google Threat Intelligence Group and iVerify, providing a broader view of the threat landscape and actors involved.
Targets and Vulnerabilities
DarkSword specifically targets devices running iOS versions 18.4 through 18.7. It leverages six known vulnerabilities:
- CVE-2025-31277
- CVE-2025-43529
- CVE-2026-20700
- CVE-2025-14174
- CVE-2025-43510
- CVE-2025-43520
These flaws include combinations of remote code execution, sandbox escape, and privilege escalation. All have already been patched in newer iOS releases, meaning updated devices are protected.
Malware Capabilities
The exploit kit has been used since at least November 2025 by multiple threat actors, deploying three main malware families:
- GHOSTBLADE: A JavaScript-based infostealer that extracts extensive personal data, including crypto wallet details, messages, photos, browser history, and location data.
- GHOSTKNIFE: A backdoor designed to exfiltrate account data, communications, and recordings.
- GHOSTSABER: A flexible JavaScript backdoor capable of enumerating devices, executing code, and stealing files.
Threat Actors and Campaigns
Several groups have been linked to DarkSword usage:
- UNC6748 targeted users in Saudi Arabia through a fake Snapchat website.
- A customer of PARS Defense used DarkSword in Turkey with enhanced operational security, including encrypted exploit delivery.
- Another PARS Defense-linked campaign was observed in Malaysia deploying GHOSTSABER.
- UNC6353, a suspected Russian espionage actor, began using DarkSword in December 2025 against Ukrainian targets, continuing into 2026 through watering hole attacks on compromised websites.
Attack Chain and Delivery
DarkSword infections begin in the Safari browser. Attackers inject malicious iframes into compromised websites, which trigger exploit scripts tailored to the victim’s iOS version.
Once executed, the exploit chain achieves kernel-level access and deploys a central orchestrator component. This component injects a JavaScript engine into privileged iOS services such as:
- App Access
- Wi-Fi services
- SpringBoard
- Keychain
- iCloud
From there, data-stealing modules collect a wide range of sensitive information, including:
- Saved passwords
- Photos and hidden files
- Messaging app databases (WhatsApp, Telegram)
- Cryptocurrency wallet data (e.g., Coinbase, Binance, Ledger)
- SMS and call logs
- Contacts and calendars
- Location and browsing history
- Wi-Fi credentials
- Apple Health data
- Installed apps and linked accounts
After exfiltrating the data, the malware removes temporary files and exits, indicating a focus on rapid data theft rather than long-term persistence.
Technical Sophistication
Researchers noted that both DarkSword and the earlier Coruna exploit chain show signs of development assisted by large language models. The code includes detailed comments and structured design, suggesting a focus on maintainability and scalability.
Mitigation and Recommendations
Users are strongly advised to update their devices to the latest version of iOS, currently iOS 26.3.1, which patches all known vulnerabilities exploited by DarkSword.
For individuals at higher risk, enabling Lockdown Mode is recommended to reduce exposure to advanced threats. Devices that cannot receive updates may potentially receive backported fixes, although this has not been confirmed.
1 Comment
Leave a Reply to scsec Cancel reply
Related Articles
Perseus Android Malware Steals Passwords and Crypto from User Notes
A newly discovered Android malware named Perseus is targeting users by scanning...
DarkSword Zero-Day Exploit Chain Gives Hackers Full Control of iPhones
A powerful new iOS exploit kit named DarkSword is being used by...
Critical SQL Injection Flaw in Ally WordPress Plugin Leaves Over 200,000 Websites Exposed
SQL Injection Vulnerability in Ally WordPress Plugin Exposes Over 200,000 Websites A...
Interpol-Led Global Cybercrime Crackdown Dismantles 45,000 Malicious IPs and Arrests Dozens
Interpol and Global Partners Shut Down 45,000 Malicious IPs in Cybercrime Crackdown...
This is a highly concerning development, especially given the level of sophistication and the wide range of data being targeted. It’s a strong reminder of how critical it is to keep devices updated and to remain cautious when browsing, even on trusted platforms. The use of known vulnerabilities in such an advanced exploit chain also highlights how quickly threat actors can weaponize disclosed flaws. Apple users, particularly those at higher risk, should take this seriously and enable additional protections like Lockdown Mode.