top of page
Search

Powerful iOS Exploit Tool DarkSword Emerges in Global Attacks

  • Mar 20
  • 2 min read

Key Findings


  • DarkSword is a sophisticated iOS exploit kit targeting devices running iOS 18.4-18.7

  • Developed by UNC6353, likely a Russia-linked group

  • Exploits six vulnerabilities, including three zero-days

  • Enables full device compromise with minimal user interaction

  • Targets sensitive data, including credentials and crypto wallet information

  • Operates in a "hit-and-run" approach, exfiltrating data quickly and then cleaning traces


Background


DarkSword emerged in late 2025 as a powerful iOS exploit toolkit discovered by Lookout Threat Labs. The exploit kit represents a significant advancement in mobile device targeting, allowing threat actors to gain comprehensive access to iOS devices with unprecedented ease. Unlike previous surveillance tools, DarkSword focuses on rapid data extraction rather than prolonged monitoring.


Technical Breakdown


The exploit chain leverages six critical vulnerabilities, with three being zero-day exploits:


  • CVE-2025-31277: JavaScriptCore memory corruption

  • CVE-2026-20700: dyld PAC bypass

  • CVE-2025-43529: JavaScriptCore memory corruption

  • CVE-2025-14174: ANGLE memory corruption

  • CVE-2025-43510: iOS kernel memory issue

  • CVE-2025-43520: iOS kernel memory corruption


Targeting and Infrastructure


The toolkit has been primarily observed in campaigns targeting:


  • Saudi Arabia

  • Turkey

  • Malaysia

  • Ukraine


Infrastructure analysis suggests the group behind DarkSword, UNC6353, has:


  • Limited but deep access to compromised websites

  • Likely third-party or brokered exploit acquisition

  • Potential ties to Russian cyber ecosystems


Operational Characteristics


DarkSword distinguishes itself through:


  • Extremely short device interaction time (minutes)

  • Comprehensive data extraction

  • Automatic file deletion after exfiltration

  • Targeting of multiple data types including credentials and crypto wallets


Threat Assessment


The emergence of DarkSword highlights a concerning trend in cyber threats:


  • Advanced exploit chains are becoming commercially available

  • Less sophisticated actors can now launch powerful attacks

  • Near zero-click infection methods bypass traditional security awareness

  • Increased risk to both personal and corporate mobile devices


Mitigation Recommendations


  • Update iOS to the latest version

  • Enable Lockdown Mode on supported devices

  • Implement advanced mobile device security protocols

  • Maintain heightened awareness of watering hole attacks


Sources


  • https://securityaffairs.com/189662/hacking/darksword-emerges-as-powerful-ios-exploit-tool-in-global-attacks.html

  • https://thehackernews.com/2026/03/apple-warns-older-iphones-vulnerable-to.html

Recent Posts

See All

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page