A brand new exploit package for Apple iOS gadgets designed to steal delicate information from is being wielded by a number of risk actors since at the very least November 2025, in accordance with experiences from Google Risk Intelligence Group (GTIG), iVerify, and Lookout.
Based on GTIG, a number of industrial surveillance distributors and suspected state-sponsored actors have utilized the full-chain exploit package, codenamed DarkSword, in distinct campaigns focusing on Saudi Arabia, Turkey, Malaysia, and Ukraine.
The invention of DarkSword makes it the second iOS exploit package, after Coruna, to be found inside the span of a month. The package is designed to focus on iPhones working iOS variations between iOS 18.4 and 18.7, and is alleged to have been deployed by a suspected Russian espionage group named UNC6353 in assaults focusing on Ukrainian customers.
It is value noting that UNC6353 has additionally been linked to using the Coruna in assaults geared toward Ukrainians by injecting the JavaScript framework into compromised web sites.
“DarkSword goals to extract an intensive set of non-public data, together with credentials from the gadget and particularly targets a plethora of crypto pockets apps, hinting at a financially motivated risk actor,” Lookout mentioned. “Notably, DarkSword seems to take a ‘hit-and-run’ strategy by gathering and exfiltrating the focused information from the gadget inside seconds or at most minutes, adopted by cleanup.”
Exploit chains comparable to Coruna and DarkSword are engineered to facilitate full entry to a sufferer’s gadget with little to no interplay required on the a part of the person. The findings as soon as once more present that there’s a second-hand marketplace for exploits that enables risk teams with restricted sources and objectives not essentially aligned with cyber espionage to amass “top-of-the-line exploits” and use them to contaminate cellular gadgets.
“Using each DarkSword and Coruna by a wide range of actors demonstrates the continued danger of exploit proliferation throughout actors of various geography and motivation,” GTIG mentioned.
The exploit chain linked to the newly found package makes use of six totally different vulnerabilities to deploy three payloads, out of which CVE-2026-20700, CVE-2025-43529, and CVE-2025-14174 had been exploited as zero-days, previous to them being patched by Apple:
- CVE-2025-31277 – Reminiscence corruption vulnerability in JavaScriptCore (Patched in model 18.6)
- CVE-2026-20700 – Consumer-mode Pointer Authentication Code (PAC) bypass in dyld (Patched in model 26.3)
- CVE-2025-43529 – Reminiscence corruption vulnerability in JavaScriptCore (Patched in variations 18.7.3 and 26.2)
- CVE-2025-14174 – Reminiscence corruption vulnerability in ANGLE (Patched in variations 18.7.3 and 26.2)
- CVE-2025-43510 – Reminiscence administration vulnerability within the iOS kernel (Patched in variations 18.7.2 and 26.1)
- CVE-2025-43520 – Reminiscence corruption vulnerability within the iOS kernel (Patched in variations 18.7.2 and 26.1)
Lookout mentioned it found DarkSword after an evaluation of malicious infrastructure related to UNC6353, figuring out that one of many compromised domains hosted a malicious iFrame component that is answerable for loading a JavaScript to fingerprint gadgets visiting the positioning and decide whether or not the goal must be routed to the iOS exploit chain. The precise methodology by which the web sites are contaminated is presently not recognized.
What made this notable was that the JavaScript was particularly searching for iOS gadgets working variations between 18.4 and 18.6.2, not like Coruna, which focused older iOS variations from 13.0 via 17.2.1.
“DarkSword is a whole exploit chain and infostealer written in JavaScript,” Lookout defined. “It leverages a number of vulnerabilities to determine privileged code execution to entry delicate data and exfiltrate it off the gadget.”
As is the case with Coruna, the assault chain begins when a person visits through Safari an internet web page that embeds the iFrame containing JavaScript. As soon as launched, DarkSword is able to breaking the confines of the WebContent sandbox (aka Safari’s renderer course of) and leveraging WebGPU to inject into mediaplaybackd, a system daemon launched by Apple to deal with media playback capabilities.
This, in flip, permits the dataminer malware – known as GHOSTBLADE – to achieve entry to privileged processes and restricted components of the file system. Following a profitable privilege escalation, an orchestrator module is used to load further parts which can be designed to reap delicate information, in addition to inject an exfiltration payload into Springboard to siphon the staged data to an exterior server over HTTP(S).
This contains emails, iCloud Drive information, contacts, SMS messages, Safari shopping historical past and cookies, cryptocurrency pockets and trade information, usernames, passwords, pictures, name historical past, Wi-Fi WiFi configuration and passwords, location historical past, calendar, mobile and SIM data, put in app listing, information from Apple apps like Notes and Well being, and message histories from apps like Telegram and WhatsApp.
iVerify, in its personal evaluation of DarkSword, mentioned the exploit chain weaponizes JavaScriptCore JIT vulnerabilities within the Safari renderer course of (CVE-2025-31277 or CVE-2025-43529) primarily based on the iOS model to realize distant code execution through CVE-2026-20700, after which escape the sandbox through the GPU course of by benefiting from CVE-2025-14174 and CVE-2025-43510.
“DarkSword makes use of two separate sandbox escape vulnerabilities, first by pivoting out of the WebContent sandbox into the GPU course of, after which by pivoting from the GPU course of to mediaplaybackd,” GTIG defined. “The identical sandbox escape exploits had been used no matter which RCE exploit was wanted.”
Within the closing stage, a kernel privilege escalation flaw (CVE-2025-43520) is leveraged to acquire arbitrary learn/write and arbitrary operate name capabilities inside mediaplaybackd, and in the end execute the injected JavaScript code.
“This malware is very subtle and seems to be a professionally designed platform enabling speedy growth of modules via entry to a high-level programming language,” Lookout mentioned. “This further step exhibits a big effort put into the event of this malware with ideas about maintainability, long-term growth, and extensibility.”
Additional evaluation of the JavaScript information utilized in DarkSword has been discovered to include references to iOS variations 17.4.1 and 17.5.1, indicating that the package was ported from a earlier model focusing on older variations of the working system.
One other facet that units DarkSword aside from different adware is that it isn’t meant for persistent surveillance and information gathering. In different phrases, as soon as the information exfiltration is accomplished, the malware takes steps to scrub the staged information and exits. The tip aim, Lookout famous, is to attenuate the dwell time and exfiltrate the information it identifies as rapidly as potential.
Little or no is understood about UNC6353, aside from its use of each Coruna and DarkSword through watering gap assaults on compromised Ukrainian web sites. This means that the hacking group is probably going well-funded to safe high-quality iOS exploit chains which can be probably developed for industrial surveillance. It is assessed that UNC6353 is a technically much less subtle risk actor that operates with motives aligned with Russian intelligence necessities.
“Provided that each Coruna and DarkSword have capabilities for cryptocurrency theft and intelligence gathering, we should take into account the likelihood that UNC6353 is a Russia-backed privateer group or prison proxy risk actor,” Lookout mentioned.
“The entire lack of obfuscation in DarkSword code, the dearth of obfuscation within the HTML for the iframes, and the truth that the DarkSword File Receiver is so merely designed and clearly named lead us to consider that UNC6353 might not have entry to robust engineering sources or, alternatively, will not be involved with taking applicable OPSEC measures.”
Using DarkSword has additionally been linked to 2 different risk actors –
- UNC6748, which focused Saudi Arabian customers in November 2025 utilizing a Snapchat-themed web site, snapshare[.]chat, that leveraged the exploit chain to ship GHOSTKNIFE, a JavaScript backdoor able to data theft.
- Exercise related to Turkish industrial surveillance vendor PARS Protection that used DarkSword in November 2025 to ship GHOSTSABER, a JavaScript backdoor that communicates with an exterior server to facilitate gadget and account enumeration, file itemizing, information exfiltration, and the execution of arbitrary JavaScript code.
Google mentioned the noticed UNC6353 use of DarkSword in December 2025 solely supported iOS variations from 18.4 to 18.6, whereas that attributed to UNC6748 and PARS Protection additionally focused iOS gadgets working model 18.7.
“For the second time in a month, risk actors have employed waterhole assaults to focus on iPhone customers,” iVerify mentioned. “Notably, neither of those assaults was individually focused. The mixed assaults now probably have an effect on lots of of hundreds of thousands of unpatched gadgets working iOS variations from 13 to 18.6.2.”
“In each cases, the instruments had been found on account of vital operational security (OPSEC) failures and carelessness within the deployment of the iOS offensive capabilities. These latest occasions immediate a number of key questions: How huge and well-equipped is the marketplace for iOS 0-day and n-day exploits for iOS gadgets? How accessible are such highly effective capabilities to financially motivated actors?”
