A new exploit kit targeting iOS devices, known as **DarkSword**, has been discovered and is already in use by various threat actors. Reports from sources like the Google Threat Intelligence Group and iVerify indicate that this kit has been in circulation since November 2025.
DarkSword has been used in campaigns against countries like Saudi Arabia, Turkey, Malaysia, and Ukraine. According to findings, it is likely linked to a suspected Russian espionage group named **UNC6353**, which has previously used similar tools to target Ukrainians.
This new exploit is not the only one recently discovered; it follows another kit called Coruna. Both kits are designed to breach iPhones running specific iOS versions—between 18.4 and 18.7 in DarkSword’s case. They aim to extract sensitive information, particularly surrounding cryptocurrency wallets, making it a financial threat as well.
Experts note that exploit kits like DarkSword are engineered for seamless access. Users essentially have no idea that they are being targeted. This accessibility raises concerns about a burgeoning market for these powerful exploits, which can fall into the hands of less sophisticated actors as well.
DarkSword employs multiple vulnerabilities, including zero-day exploits (which are attacks using previously unknown vulnerabilities) that had not been patched by Apple at the time of discovery. Here are a few of the key vulnerabilities exploited:
- CVE-2025-31277 – A memory corruption issue in JavaScriptCore.
- CVE-2026-20700 – A user-mode Pointer Authentication Code (PAC) bypass in dyld.
- CVE-2025-43529 – Another memory corruption vulnerability in JavaScriptCore.
- CVE-2025-14174 – Related to the ANGLE library.
- CVE-2025-43510 – Vulnerability in the iOS kernel.
- CVE-2025-43520 – Another vulnerability in the iOS kernel.
The technique used involves directing users to a compromised website, where an iFrame runs malicious JavaScript targeting specific iOS versions. It scans and collects data like emails, messages, contacts, and even information from various apps such as WhatsApp and Telegram.
Interestingly, unlike many other spyware tools, DarkSword is designed for quick operations. After exfiltrating data, it cleans up staged files swiftly to minimize detection. This technique aims to reduce its “dwell time” on the infected device.
There is still limited information about the group UNC6353. However, its actions point to well-funding sources that enable it to access high-end exploit chains. This suggests a troubling pattern where financially motivated actors can obtain powerful tools, making it easier to compromise unpatched devices.
Moreover, the impact is far-reaching. Recent reports suggest that if these exploit kits continue to proliferate, they could affect hundreds of millions of unpatched devices. The ease with which these threats operate raises critical questions about the accessibility and funding of such advanced cyber capabilities.
In short, as exploit kits like DarkSword spread, the common user faces an increasing risk. For more detailed insight into cybersecurity threats, visit CISA’s official site.
