A sophisticated, full-chain exploit kit targeting Apple iOS devices, codenamed "DarkSword," has been actively deployed by multiple threat actors since at least November 2025. This discovery, reported by Google's Threat Intelligence Group (GTIG), iVerify, and Lookout, represents a significant escalation in mobile threat landscapes. DarkSword is engineered to achieve complete device takeover on iPhones running iOS versions 18.4 through 18.7. Its architecture leverages a chain of six distinct vulnerabilities, three of which were previously unknown zero-day flaws, enabling attackers to bypass Apple's security protections without any user interaction. The kit has been utilized in distinct campaigns by various entities, including commercial surveillance vendors and suspected state-sponsored actors, with reported targets in Saudi Arabia, Turkey, Malaysia, and Ukraine.
Notably, a suspected Russian espionage group tracked as UNC6353 has been identified deploying DarkSword against Ukrainian users. This group has also been previously linked to the "Coruna" exploit kit, another full-chain iOS weapon discovered just a month prior, which was delivered via compromised websites. The rapid emergence of two such powerful kits—Coruna and now DarkSword—within a short timeframe highlights a dangerous trend in the proliferation of advanced mobile exploits. These kits are entering a burgeoning second-hand market, enabling a wider range of threat actors, including those with financial motives and limited technical resources, to acquire and deploy what were once considered "top-of-the-line" cyber-espionage tools.
The primary objective of the DarkSword kit is the comprehensive theft of sensitive personal data. According to Lookout researchers, it is designed to extract an extensive set of information, including device credentials, and specifically targets a wide array of cryptocurrency wallet applications. This targeting strongly suggests the involvement of financially motivated actors alongside espionage-focused groups. DarkSword operates with a "hit-and-run" methodology, executing its data collection and exfiltration processes within seconds or minutes of infection before performing a cleanup to remove traces of its activity, thereby complicating forensic analysis and detection.
The operational use of both Coruna and DarkSword by a diverse set of actors underscores a critical and ongoing cybersecurity risk: the proliferation of potent exploit chains across threat groups with varying geographies and motivations. This commoditization of advanced attack frameworks lowers the barrier to entry for sophisticated digital intrusions, making high-level threats more common. For defenders and users, this reality reinforces the imperative of consistent, timely software updates to patch vulnerabilities, the use of reputable mobile security solutions capable of detecting behavioral anomalies, and heightened vigilance regarding the links visited and files downloaded on mobile devices, which remain prime targets for advanced persistent threats.
