A newly discovered exploit kit, named DarkSword, has been targeting Apple iOS devices. This kit, known for its ability to steal sensitive data, has been active since November 2025, utilized by various threat actors. Reports from Google Threat Intelligence Group (GTIG), iVerify, and Lookout highlight its deployment by commercial surveillance vendors and state-sponsored entities in countries like Saudi Arabia, Turkey, Malaysia, and Ukraine.
Targeting iOS Vulnerabilities
DarkSword marks the second iOS exploit kit identified within a month, following Coruna. Designed to compromise iPhones running iOS versions between 18.4 and 18.7, it has been attributed to a Russian espionage group, UNC6353, known for attacking Ukrainian targets. This group has previously used Coruna to inject malicious JavaScript into compromised websites, further emphasizing the ongoing risk of exploit proliferation.
The exploit kit employs six vulnerabilities, three of which are zero-days, to achieve full device control. Notable vulnerabilities include CVE-2026-20700 and CVE-2025-43529, with patches released by Apple. The kit targets crypto wallet apps, suggesting financially motivated actors behind its use.
Mechanics of the Attack
DarkSword operates by embedding malicious iFrames in websites, which load JavaScript to fingerprint and exploit iOS devices. This process allows the malware to bypass Safari’s security measures and inject code into system processes. Once the device is compromised, the malware, named GHOSTBLADE, accesses sensitive data, including emails, contacts, and more, exfiltrating it to external servers.
iVerify’s analysis reveals that the kit exploits JavaScriptCore JIT vulnerabilities to achieve remote code execution, eventually leading to kernel-level access. This sophisticated attack chain highlights the professional development effort behind DarkSword, indicating a complex and adaptable threat.
Implications and Future Outlook
The discovery of DarkSword raises concerns about the accessibility of powerful iOS exploits to financially motivated actors. The kit’s use by groups like UNC6353 and its links to other threat actors, such as UNC6748 and PARS Defense, underscore a well-funded market for such tools. These actors have been linked to attacks on Saudi Arabian and Turkish targets, exploiting iOS vulnerabilities to deploy backdoors like GHOSTKNIFE and GHOSTSABER.
As more devices remain unpatched, the risk of widespread exploitation increases. The lack of operational security in the deployment of these tools highlights significant challenges in mitigating such threats. The security community must remain vigilant to address these vulnerabilities and protect users from sophisticated cyber threats.
