A new exploit kit for Apple iOS devices designed to steal sensitive data has been exploited by multiple attackers since at least November 2025, according to a report from Google Threat Intelligence Group (GTIG), iVerify, and Lookout.
According to GTIG, multiple commercial surveillance vendors and suspected state-sponsored attackers utilized the full-chain exploit kit, codenamed DarkSword, in separate campaigns targeting Saudi Arabia, Turkey, Malaysia, and Ukraine.
The discovery of DarkSword makes it the second iOS exploit kit discovered in less than a month, after Coruna. The kit is designed to target iPhones running iOS versions from iOS 18.4 to 18.7 and was allegedly deployed by a suspected Russian spy group called UNC6353 in attacks targeting users in Ukraine.
It is worth noting that UNC6353 is also associated with the use of Coruna in attacks targeting Ukrainians by injecting JavaScript frameworks into compromised websites.
“DarkSword aims to extract a wide range of personal information from devices, including credentials, and specifically targets a number of crypto wallet apps, suggesting it is a financially motivated attacker,” Lookout said. “Notably, DarkSword appears to take a ‘hit-and-run’ approach by collecting and extracting targeted data from devices within seconds, or minutes at most, and then cleaning up.”
Exploit chains such as Coruna and DarkSword are designed to facilitate complete access to a victim’s device with little or no interaction required on the user’s part. This finding reiterates that a second-hand market for exploits exists, allowing threat groups with limited resources and goals that do not necessarily align with cyber espionage to acquire “top-of-the-line exploits” and use them to infect mobile devices.
“The use of both DarkSword and Coruna by a variety of threat actors demonstrates the continued risk of exploit spread among threat actors with different geographies and motivations,” GTIG said.
The exploit chain linked to the newly discovered kit leverages six different vulnerabilities to deploy three payloads. CVE-2026-20700, CVE-2025-43529, and CVE-2025-14174 were exploited as zero-days before being patched by Apple.
CVE-2025-31277 – JavaScriptCore Memory Corruption Vulnerability (patched in version 18.6) CVE-2026-20700 – User-Mode Pointer Authentication Code (PAC) Bypass in dyld (patched in version 26.3) CVE-2025-43529 – JavaScript Core Memory Corruption Vulnerability (patched in version 18.6) 18.7.3 and 26.2) CVE-2025-14174 – ANGLE Memory Corruption Vulnerability (patched in versions 18.7.3 and 26.2) CVE-2025-43510 – iOS Kernel Memory Management Vulnerability (patched in versions 18.7.2 and 26.1) CVE-2025-43520 – iOS Kernel memory corruption vulnerability (patched in versions 18.7.2 and 26.1)
Lookout said it discovered DarkSword after analyzing the malicious infrastructure associated with UNC6353 and identifying that one of the compromised domains hosted a malicious iFrame element that loaded JavaScript into the fingerprint of the device visiting the site to determine whether the target should be routed to an iOS exploit chain. The exact way websites are infected is currently unknown.
What made this notable was that JavaScript was specifically looking for iOS devices running versions from 18.4 to 18.6.2, unlike Coruna, which targeted older iOS versions from 13.0 to 17.2.1.
“DarkSword is a complete exploit chain and information theft tool written in JavaScript,” Lookout explained. “Multiple vulnerabilities are used to establish privileged code execution, access sensitive information, and exfiltrate information from the device.”
As with Coruna, the attack chain begins when a user accesses a web page via Safari that contains an embedded iFrame containing JavaScript. Once launched, DarkSword is able to break through the limitations of the WebContent sandbox (aka Safari’s renderer process) and utilize the WebGPU to inject into mediaplaybackd, a system daemon introduced by Apple to handle media playback functionality.
This allows a dataminer malware called GHOSTBLADE to gain access to privileged processes and restricted parts of the file system. After successful privilege escalation, we use the Orchestrator module to load additional components designed to collect sensitive data, as well as inject an extraction payload into Springboard to siphon the staged information to an external server over HTTP(S).
This includes emails, iCloud Drive files, contacts, SMS messages, Safari browsing history and cookies, cryptocurrency wallets and exchange data, usernames, passwords, photos, call history, Wi-Fi settings and passwords, location history, calendar, cell phone and SIM information, list of installed apps, data from Apple apps like Notes and Health, and message history from apps like Telegram and WhatsApp.
In its own analysis of DarkSword, iVerify states that this exploit chain arms itself with a JavaScriptCore JIT vulnerability in the Safari renderer process (CVE-2025-31277 or CVE-2025-43529) based on the iOS version to achieve remote code execution via CVE-2026-20700, and then leverages the GPU process to escape from the sandbox. CVE-2025-14174 and CVE-2025-43510.
The final stage leverages a kernel privilege escalation flaw (CVE-2025-43520) to obtain arbitrary read/write capabilities and arbitrary function call capabilities within mediaplaybackd, ultimately executing the injected JavaScript code.
“This malware is highly sophisticated and appears to be a professionally designed platform that enables rapid development of modules through access to high-level programming languages,” Lookout said. “This additional step shows that a lot of effort went into developing this malware with maintainability, long-term development, and extensibility in mind.”
Further analysis of the JavaScript files used by DarkSword revealed that they contain references to iOS versions 17.4.1 and 17.5.1. This indicates that this kit was ported from a previous version that targeted an older version of the operating system.
Another aspect that distinguishes DarkSword from other spyware is that it is not intended for continuous surveillance or data collection. This means that once the data extraction is complete, the malware cleans up the staged files and exits. According to Lookout, the goal is to minimize dwell time and extract identified data as quickly as possible.
Little is known about UNC6353 other than the use of both Coruna and DarkSword in watering hole attacks against compromised Ukrainian websites. This indicates that this hacker group may have sufficient funds to secure a high-quality iOS exploit chain, likely developed for commercial surveillance. UNC6353 is assessed to be a less technically sophisticated actor whose motives align with Russian intelligence requirements.
“Given both Coruna and DarkSword’s cryptocurrency theft and intelligence gathering capabilities, we must consider the possibility that UNC6353 is a Russian-backed privateering group or criminal proxy threat actor,” Lookout said.
“The complete lack of obfuscation in the DarkSword code, the absence of obfuscation in the iframe’s HTML, and the fact that the DarkSword file receiver is very simply designed and clearly named suggests that UNC6353 either does not have access to strong engineering resources or is not interested in implementing appropriate OPSEC countermeasures.”
The use of DarkSword has also been linked to two other actors.
UNC6748 targeted users in Saudi Arabia in November 2025 using snapshare, a Snapchat-themed website[.]Chat used an exploit chain to distribute GHOSTKNIFE, a JavaScript backdoor capable of information theft. Activities related to Turkish commercial surveillance vendor PARS Defense. In November 2025, DarkSword was used to deliver GHOSTSABER, a JavaScript backdoor that communicates with external servers to facilitate device and account enumeration, file listing, data exfiltration, and arbitrary JavaScript code execution.
Google said that UNC6353’s use of DarkSword observed in December 2025 only supported iOS versions 18.4 through 18.6, while UNC6748 and what is believed to be PARS Defense also targeted iOS devices running version 18.7.
“For the second time in the past month, threat actors have used watering hole attacks to target iPhone users,” iVerify said. “Of note, neither of these attacks were targeted individually; the combined attack could currently impact hundreds of millions of unpatched devices running iOS versions 13 through 18.6.2.”
“In both cases, the tools were discovered due to significant operational security (op-sec) failures and carelessness in the deployment of iOS attack capabilities. These recent events raise several important questions: How large and well-equipped is the market for iOS 0-day and n-day exploits for iOS devices? How accessible is such powerful capabilities to economically motivated attackers?”
Source link
