A new exploit kit for iOS devices and delivery framework dubbed “Darksword” has been used to steal a wide range of personal information, including data from cryptocurrency wallet app.
Darksword targets iPhones running iOS 18.4 through 18.6.2 and is linked to the same, likely Russian threat actor behind the Coruna exploit chain disclosed earlier this month. Lookout Threat Labs researchers say.
Researchers at Lookout Threat Labs researchers discovered Darksword while investigating the infrastructure used for Coruna attacks. Google’s Threat Intelligence Group and iVerify also collaborated for a more comprehensive analysis of this previously unknown threat.
iVerify’s analysis indicates that all flaws exploited in this exploit chain, including type confusion, use-after-free, out-of-bounds write, copy-on-write kernel bugs, and kernel privilege escalation bugs, are known/documented and already fixed by Apple in the latest iOS releases.
The vulnerabilities exploited by Darksword are tracked as CVE-2025-31277, CVE-2025-43529, CVE-2026-20700, CVE-2025-14174, CVE-2025-43510, and CVE-2025-43520.
Source: Lookout
Although attribution is unclear, the threat actor behind Darksword is tracked as UNC6353, who appears to be well-funded and has access to multiple unknown and known exploits.
The researchers found signs of large language model (LLM) tools used for extending Darksword’s functionality, though they note that the malware itself is rather advanced, and not an AI-generated disposable tool.
“This malware is highly sophisticated and appears to be a professionally designed platform enabling rapid development of modules through access to a high level programming language,” comments Lookout in the report.
“This extra step shows a significant effort put into the development of this malware with thoughts about maintainability, long-term development and extensibility.”
Darksword attacks
Apart from the 1-click Darksword exploit kit, iVerify also found a Safari exploit with “sandbox escape, privilege escalation, and in-memory implants” that stole sensitive data from devices.
Darksword attacks begin in the Safari browser, where multiple exploits are used to obtain kernel read/write access, and then execute code through a main orchestrator component (pe_main.js).
It is unknown how the websites that launched these attacks were compromised in the first place, but the threat actors had sufficient rights to infect malicious iframes in the HTML code of these sites.
Source: Lookout
The orchestrator injects a JavaScript engine into privileged iOS services such as App Access, Wi-Fi, Springboard, Keychain, and iCloud, and then activates data-stealing modules.
According to Lookout’s analysis, the information Darksword targets includes the following:
- Saved passwords
- Photos, including screenshots and hidden image files
- WhatsApp and Telegram databases
- Cryptocurrency wallets (Coinbase, Binance, Ledger, and others)
- Text messages (SMS)
- Address book
- Call history
- Location history
- Browser history
- Cookies
- Wi-Fi history and passwords
- Apple Health data
- Calendar
- Notes
- Installed applications
- Connected accounts
Notably, Darksword wipes temporary files and exits when the above is exfiltrated to the threat actors, indicating that it was not designed for long-term surveillance operations.
Lookout estimates that Darksword is used by a Russian threat actor with financial objectives, while also conducting espionage aligned with Russian intelligence requirements.
iPhone users are recommended to upgrade to iOS 26.3.1 (latest), released earlier this month, and enable Lockdown Mode if at high risk of being targeted by malware.
For those using older devices that don’t qualify for an update to the latest iOS version, Apple may backport fixes as it did with the Coruna exploits, but this hasn’t been confirmed yet.
Malware is getting smarter. The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight.
Download our analysis of 1.1 million malicious samples to uncover the top 10 techniques and see if your security stack is blinded.
