A new exploit kit for Apple iOS devices designed to steal sensitive data from is being wielded by multiple threat actors since at least November 2025, according to reports from Google Threat Intelligence Group (GTIG), iVerify, and Lookout.

According to GTIG, multiple commercial surveillance vendors and suspected state-sponsored actors have utilized the full-chain exploit kit, codenamed DarkSword, in distinct campaigns targeting Saudi Arabia, Turkey, Malaysia, and Ukraine. 

The discovery of DarkSword makes it the second iOS exploit kit, after Coruna, to be discovered within the span of a month. The kit is designed to target iPhones running iOS versions between iOS 18.4 and 18.7, and is said to have been deployed by a suspected Russian espionage group named UNC6353 in attacks targeting Ukrainian users.

It’s worth noting that UNC6353 has also been linked to the use of the Coruna in attacks aimed at Ukrainians by injecting the JavaScript framework into compromised websites.

“DarkSword aims to extract an extensive set of personal information, including credentials from the device and specifically targets a plethora of crypto wallet apps, hinting at a financially motivated threat actor,” Lookout said. “Notably, DarkSword appears to take a ‘hit-and-run’ approach by collecting and exfiltrating the targeted data from the device within seconds or at most minutes, followed by cleanup.”

Exploit chains such as Coruna and DarkSword are engineered to facilitate complete access to a victim’s device with little to no interaction required on the part of the user. The findings once again show that there is a second-hand market for exploits that allows threat groups with limited resources and goals not necessarily aligned with cyber espionage to acquire “top-of-the-line exploits” and use them to infect mobile devices.

“The use of both DarkSword and Coruna by a variety of actors demonstrates the ongoing risk of exploit proliferation across actors of varying geography and motivation,” GTIG said.

The exploit chain linked to the newly discovered kit makes use of six different vulnerabilities to deploy three payloads, out of which CVE-2026-20700, CVE-2025-43529, and CVE-2025-14174 were exploited as zero-days, prior to them being patched by Apple:

• CVE-2025-31277 – Memory corruption vulnerability in JavaScriptCore (Patched in version 18.6)
• CVE-2026-20700 – User-mode Pointer Authentication Code (PAC) bypass in dyld (Patched in version 26.3)
• CVE-2025-43529 – Memory corruption vulnerability in JavaScriptCore (Patched in versions 18.7.3 and 26.2)
• CVE-2025-14174 – Memory corruption vulnerability in ANGLE (Patched in versions 18.7.3 and 26.2)
• CVE-2025-43510 – Memory management vulnerability in the iOS kernel (Patched in versions 18.7.2 and 26.1)
• CVE-2025-43520 – Memory corruption vulnerability in the iOS kernel (Patched in versions 18.7.2 and 26.1)

Lookout said it discovered DarkSword after an analysis of malicious infrastructure associated with UNC6353, identifying that one of the compromised domains hosted a malicious iFrame element that’s responsible for loading a JavaScript to fingerprint devices visiting the site and determine whether the target needs to be routed to the iOS exploit chain. The exact method by which the websites are infected is currently not known.

What made this notable was that the JavaScript was specifically looking for iOS devices running versions between 18.4 and 18.6.2, unlike Coruna, which targeted older iOS versions from 13.0 through 17.2.1.

“DarkSword is a complete exploit chain and infostealer written in JavaScript,” Lookout explained. “It leverages multiple vulnerabilities to establish privileged code execution to access sensitive information and exfiltrate it off the device.”

As is the case with Coruna, the attack chain begins when a user visits via Safari a web page that embeds the iFrame containing JavaScript. Once launched, DarkSword is capable of breaking the confines of the WebContent sandbox (aka Safari’s renderer process) and leveraging WebGPU to inject into mediaplaybackd, a system daemon introduced by Apple to handle media playback functions.

This, in turn, enables the dataminer malware – referred to as GHOSTBLADE – to gain access to privileged processes and restricted parts of the file system. Following a successful privilege escalation, an orchestrator module is used to load additional components that are designed to harvest sensitive data, as well as inject an exfiltration payload into Springboard to siphon the staged information to an external server over HTTP(S).

This includes emails, iCloud Drive files, contacts, SMS messages, Safari browsing history and cookies, cryptocurrency wallet and exchange data, usernames, passwords, photos, call history, Wi-Fi WiFi configuration and passwords, location history, calendar, cellular and SIM information, installed app list, data from Apple apps like Notes and Health, and message histories from apps like Telegram and WhatsApp.

iVerify, in its own analysis of DarkSword, said the exploit chain weaponizes JavaScriptCore JIT vulnerabilities in the Safari renderer process (CVE-2025-31277 or CVE-2025-43529) based on the iOS version to achieve remote code execution via CVE-2026-20700, and then escape the sandbox via the GPU process by taking advantage of CVE-2025-14174 and CVE-2025-43510.

In the final stage, a kernel privilege escalation flaw (CVE-2025-43520) is leveraged to obtain arbitrary read/write and arbitrary function call capabilities inside mediaplaybackd, and ultimately execute the injected JavaScript code.

“This malware is highly sophisticated and appears to be a professionally designed platform enabling rapid development of modules through access to a high-level programming language,” Lookout said. “This extra step shows a significant effort put into the development of this malware with thoughts about maintainability, long-term development, and extensibility.”

Further analysis of the JavaScript files used in DarkSword has been found to contain references to iOS versions 17.4.1 and 17.5.1, indicating that the kit was ported from a previous version targeting older versions of the operating system.

Another aspect that sets DarkSword apart from other spyware is that it’s not meant for persistent surveillance and data gathering. In other words, once the data exfiltration is completed, the malware takes steps to clean the staged files and exits. The end goal, Lookout noted, is to minimize the dwell time and exfiltrate the data it identifies as quickly as possible.

Very little is known about UNC6353, other than its use of both Coruna and DarkSword via watering hole attacks on compromised Ukrainian websites. This indicates that the hacking group is likely well-funded to secure high-quality iOS exploit chains that are likely developed for commercial surveillance. It’s assessed that UNC6353 is a technically less sophisticated threat actor that operates with motives aligned with Russian intelligence requirements.

“Given that both Coruna and DarkSword have capabilities for cryptocurrency theft and intelligence gathering, we must consider the possibility that UNC6353 is a Russia-backed privateer group or criminal proxy threat actor,” Lookout said.

“The complete lack of obfuscation in DarkSword code, the lack of obfuscation in the HTML for the iframes, and the fact that the DarkSword File Receiver is so simply designed and obviously named lead us to believe that UNC6353 may not have access to strong engineering resources or, alternatively, is not concerned with taking appropriate OPSEC measures.”

The use of DarkSword has also been linked to two other threat actors –

• UNC6748, which targeted Saudi Arabian users in November 2025 using a Snapchat-themed website, snapshare[.]chat, that leveraged the exploit chain to deliver GHOSTKNIFE, a JavaScript backdoor capable of information theft.
• Activity associated with Turkish commercial surveillance vendor PARS Defense that used DarkSword in November 2025 to deliver GHOSTSABER, a JavaScript backdoor that communicates with an external server to facilitate device and account enumeration, file listing, data exfiltration, and the execution of arbitrary JavaScript code.

Google said the observed UNC6353 use of DarkSword in December 2025 only supported iOS versions from 18.4 to 18.6, while that attributed to UNC6748 and PARS Defense also targeted iOS devices running version 18.7.

“For the second time in a month, threat actors have employed waterhole attacks to target iPhone users,” iVerify said. “Notably, neither of these attacks was individually targeted. The combined attacks now likely affect hundreds of millions of unpatched devices running iOS versions from 13 to 18.6.2.”

“In both instances, the tools were discovered due to significant operational security (OPSEC) failures and carelessness in the deployment of the iOS offensive capabilities. These recent events prompt several key questions: How big and well-equipped is the market for iOS 0-day and n-day exploits for iOS devices? How accessible are such powerful capabilities to financially motivated actors?”