Cyber Security

DarkSword iOS Exploit Kit Uses 6 Flaws, 3 Zero Days to Takeover a Full Device

Photo of pleasuremandarya@gmail.com pleasuremandarya@gmail.com Send an email 4 weeks ago
0 9 5 minutes read
DarkSword iOS Exploit Kit Uses 6 Flaws, 3 Zero Days to Takeover a Full Device

A new exploit kit for Apple iOS devices designed to steal sensitive data has been used by many threat actors since at least November 2025, according to reports from Google Threat Intelligence Group (GTIG), iVerify, and Lookout.

According to GTIG, many commercial surveillance vendors and suspected government-sponsored actors have used a full, code-named exploit kit. The DarkSwordin separate campaigns targeting Saudi Arabia, Turkey, Malaysia, and Ukraine.

DarkSword’s discovery makes it the second iOS exploit kit, after Coruna, to be discovered during the month. The kit is designed to target iPhones running iOS versions between iOS 18.4 and 18.7, and is said to have been used by a suspected Russian espionage group called UNC6353 in attacks targeting users in Ukraine.

It is worth noting that UNC6353 has also been linked to Coruna’s use in attacks targeting Ukrainians by injecting JavaScript frameworks into vulnerable websites.

“DarkSword aims to extract a broad set of personal information, including data from the device and specifically target a number of crypto wallet applications, pointing to a financially threatened actor,” Lookout said. “Notably, DarkSword appears to take a ‘hit and run’ approach by collecting and extracting targeted data from a device over several seconds or minutes, followed by cleanup.”

Exploit chains like Coruna and DarkSword are designed to facilitate complete access to a victim’s device with little or no interaction required on the part of the user. The findings also show that there is a side market for exploitation that allows threat groups with limited resources and goals incompatible with cyber espionage to find “high-end devices” and use them to infect mobile phones.

“The use of both DarkSword and Coruna by various actors demonstrates the continued vulnerability of actors of various geographies and motivations,” GTIG said.

The exploit chain attached to the newly discovered kit uses six different vulnerabilities to install three payloads, where CVE-2026-20700, CVE-2025-43529, and CVE-2025-14174 were exploited as zero-days, before Apple released them:

  • CVE-2025-31277 – Memory corruption vulnerability in JavaScriptCore (Included in version 18.6)
  • CVE-2026-20700 – User Mode Indicator Authentication Code (PAC) via dyld (Included in version 26.3)
  • CVE-2025-43529 – Memory corruption vulnerability in JavaScriptCore (Fixed in versions 18.7.3 and 26.2)
  • CVE-2025-14174 – Memory corruption vulnerability in ANGLE (Fixed in versions 18.7.3 and 26.2)
  • CVE-2025-43510 – Memory management vulnerability in iOS kernel (Included in versions 18.7.2 and 26.1)
  • CVE-2025-43520 – Memory corruption vulnerability in iOS kernel (Fixed in versions 18.7.2 and 26.1)

Lookout said it discovered DarkSword after analyzing the malicious infrastructure associated with UNC6353, identifying that one of the vulnerable domains hosts a malicious iFrame element responsible for loading JavaScript on fingerprint devices visiting the site and determining that the target needs to be submitted to an iOS exploit chain. The exact way the websites were accessed is currently unknown.

What makes this noteworthy is that JavaScript specifically targeted iOS devices running versions between 18.4 and 18.6.2, unlike Coruna, which targeted older iOS versions from 13.0 to 17.2.1.

“DarkSword is a complete suite of exploits and infostealer written in JavaScript,” Lookout explains. “It uses multiple vulnerabilities to detect the use of special code to access sensitive information and extract it from the device.”

As with Coruna, the attack chain starts when the user visits with Safari a web page that embeds an iFrame containing JavaScript. Once launched, DarkSword is able to break the boundaries of the WebContent sandbox (Safari’s renderer process) and use the WebGPU to inject into mediaplaybackd, a program daemon introduced by Apple to handle media playback tasks.

This, in turn, enables the dataminer malware – called GHOSTBLADE – to access privileged processes and restricted parts of the file system. After a successful privilege escalation, the orchestrator module is used to load additional components designed to harvest sensitive data, as well as to inject an extraction capacity into Springboard to deliver staged information to an external server via HTTP(S).

This includes emails, iCloud Drive files, contacts, SMS messages, Safari browsing history and cookies, cryptocurrency wallet and exchange data, usernames, passwords, photos, call history, Wi-Fi WiFi configuration and passwords, location history, calendar, cellular and SIM information, list of installed apps, data from Apple apps such as Notes and Health, and message histories from apps. such as Telegram and WhatsApp.

iVerify, in its analysis of DarkSword, said that the exploit series leverages the JavaScriptCore JIT vulnerability in the Safari renderer process (CVE-2025-31277 or CVE-2025-43529) based on the iOS version to achieve remote code execution with CVE-2020-2026-2026-2026-2026-2026-GPU process escape CVE-2025-14174 and CVE-2025-43510.

In the final phase, a kernel privilege escalation flaw (CVE-2025-43520) is exploited to gain read/write and arbitrary call capabilities within mediaplaybackd, and finally inject JavaScript code.

“This malware is very sophisticated and appears to be a professionally designed platform that allows rapid development of modules with access to a high-level programming language,” Lookout said. “This extra step shows the significant effort that went into the design of this malware with thoughts about maintainability, long-term development, and scalability.”

Further analysis of the JavaScript files used in DarkSword was found to contain references to iOS versions 17.4.1 and 17.5.1, indicating that the kit was ported from an earlier version targeting older versions of the operating system.

Another feature that makes DarkSword different from other spyware is that it is not intended for continuous surveillance and data collection. In other words, once the data filtering is complete, the malware takes steps to clean up the staging files and exits. The ultimate goal, Lookout noted, is to reduce dwell time and generate the data it identifies as quickly as possible.

Very little is known about UNC6353, other than its use by both Coruna and DarkSword for waterhole attacks on vulnerable Ukrainian websites. This indicates that the hacking group is likely to be well-funded to secure high-quality iOS exploit chains that may be enhanced by commercial surveillance. UNC6353 is considered to be a threat actor operating with motives aligned with Russian intelligence needs.

“Since Coruna and DarkSword have the ability to steal and collect cryptocurrency intelligence, we must consider the possibility that UNC6353 is an independent Russian-backed group or a criminal threat actor,” Lookout said.

“The complete lack of obfuscation in the DarkSword code, the lack of obfuscation in the HTML of the iframes, and the fact that the DarkSword File Receiver is designed very simply and is clearly named leads us to believe that the UNC6353 may not have access to robust engineering resources or, alternatively, does not care to take appropriate OPSEC measures.”

The use of the DarkSword has also been linked to two other scary characters –

  • UNC6748which targeted users in Saudi Arabia in November 2025 using a Snapchat-themed website, snapshare[.]chat, which used a series of exploits to deliver GHOSTKNIFE, a JavaScript backend capable of stealing information.
  • Work associated with a Turkish merchant PARS Defense which used DarkSword in November 2025 to deliver GHOSTSABER, a JavaScript backdoor that communicates with an external server for device and account targeting, file listing, data extraction, and malicious JavaScript code execution.

Google said that the UNC6353 DarkSword exploit in December 2025 only supports iOS versions from 18.4 to 18.6, while that mentioned in UNC6748 and PARS Defense also targets iOS devices running version 18.7.

“For the second time in a month, malicious actors have used a waterhole attack to target iPhone users,” Verify said. “Notably, none of these attacks were individually targeted. The combined attack is now likely to affect hundreds of millions of unpatched devices running iOS versions from 13 to 18.6.2.”

“In both cases, the tools were discovered due to significant operational security failures (OPSEC) and carelessness in the use of iOS attack capabilities. These recent events raise several important questions: How big and well-equipped is the iOS 0-day and n-day iOS market? How accessible are such powerful capabilities to financially motivated actors?”

Photo of pleasuremandarya@gmail.com pleasuremandarya@gmail.com Send an email 4 weeks ago
0 9 5 minutes read
Photo of pleasuremandarya@gmail.com

pleasuremandarya@gmail.com

Related Articles

NIST Limits CVE Enrichment After 263% of Post-Vulnerability Operations

NIST Limits CVE Enrichment After 263% of Post-Vulnerability Operations

3 hours ago
Circle faces lawsuit as 0M of stolen USDC moved off-chain after Drift breach

Circle faces lawsuit as $230M of stolen USDC moved off-chain after Drift breach

4 hours ago
Apache ActiveMQ CVE-2026-34197 Added to CISA KEV During Active Exploitation

Apache ActiveMQ CVE-2026-34197 Added to CISA KEV During Active Exploitation

7 hours ago
House Rejects Iran War Resolution 213-214

House Rejects Iran War Resolution 213-214

11 hours ago

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button