A powerful iPhone hacking toolkit dubbed “DarkSword” has been used since November 2025 to compromise devices by exploiting zero-day iOS vulnerabilities, Google researchers have shared.
iOS vulnerabilities exploited by DarkSword
Two weeks ago, Google Threat Intelligence Group (GTIG) and iVerify disclosed the existence of Coruna, a spy-grade iOS exploit kit that has been used in a commercial surveillance operation, by state-linked threat actors engaged in cyber espionage, and cybercriminals.
While Coruna contains five full iOS exploit chains and a total of 23 exploits for vulnerabilities (with and without a CVE identifier), Darksword chains six vulnerabilities to allow attackers to achieve remote code execution on vulnerable iPhones and deploy malicious payloads.
Three of these are flaws in WebKit, the browser engine used by Apple’s Safari browser and all web browsers on iOS and iPadOS. Two are in the iOS (and macOS) kernel and one in the Dynamic Link Editor component of Apple’s operating systems.
Apple fixed:
- CVE-2025-31277 (WebKit) in iOS 18.6, in July 2025
- CVE-2025-43510 and CVE-2025-43520 (kernel) in iOS 26.1 and 18.7.2, in November 2025
- CVE-2025-43529 and CVE-2025-14174 (WebKit) in iOS 26.2 and 18.7.3, in December 2025 (after reports of targeted in-the-wild exploitation)
- CVE-2026-20700 (dyld) in iOS 26.3, in February 2026, also after confirmed zero-day exploitation.
DarkSword discovery
According to Google researchers, DarkSword has been leveraged in a variety of attack campaigns tied to several threat actors, including suspected Russian state-sponsored attackers UNC6353, who also leveraged the Coruna exploit kit, and customers of PARS Defense, a Turkish commercial surveillance vendor.
Timeline of observed DarkSword use and Apple’s patching of the flaws (Source: Google Threat Intelligence Group)
After uncovering Coruna, researchers from mobile security company Lookout identified another suspicious domain (cdncounter[.]net) closely linked to previously known malicious infrastructure tied to UNC6748.
The domain shared technical characteristics with earlier infrastructure and was connected to compromised Ukrainian websites where hidden iframes were used to deliver malicious code.
Further analysis showed this activity was not Coruna but a new operation: the injected code fingerprinted visiting devices and selectively targeted certain iOS versions with a separate exploit chain: DarkSword (named thus to internal references found in the malware).
“DarkSword is a complete exploit chain and infostealer written in JavaScript. It leverages multiple vulnerabilities to establish privileged code execution to access sensitive information and exfiltrate it off the device. The kill chain begins with Safari encountering the malicious iframe embedded in a web page. Once loaded, Darksword breaks out of the WebContent sandbox and then leverages WebGPU to inject into mediaplaybackd. From there it can craft Kernel read/write access, which it leverages to gain access to privileged processes and modify sandbox restrictions, gaining access to restricted parts of the filesystem,” Lookout researchers explained.
After gaining deeper access to the device, the malware runs a main script that coordinates several smaller malicious components, which collect sensitive data like passwords, encryption keys, and files, and store them temporarily on the device, then send them to a remote server controlled by the attackers.
DarkSword use
In November 2025, Google researchers spotted DarkSword being used by UNC6748 to target Saudi Arabian users via a Snapchat-themed website. In November 2025 and January 2026, they uncovered evidence of DarkSword being used in two campaigns associated with different PARS Defense customers and targeting users in Turkey and Malaysia.
UNC6353, who were previously observed using Coruna, also targeted Ukrainian users again with DarkSword and a backdoor (GHOSTBLADE) that collected a wide variety of information about the device, installed apps, accounts, location history, photos, calendar entries, notes, cryptocurrency wallet and account data, Safari history, and more.
iVerify researchers also analyzed that last campaign.
Lookout researchers say UNC6353 appears to have access to advanced iOS exploit chains, likely originating from top-tier commercial surveillance vendors. Some of these exploits were used as zero-days, suggesting the group is well funded and may be linked to exploit brokers such as Matrix LLC / Operation Zero.
They also note that both Coruna and DarkSword can steal cryptocurrency alongside sensitive personal data, meaning they can be used for both espionage and financial theft. It remains unclear whether crypto theft was a primary objective, leaving open the possibility that the group is financially motivated or that this state-aligned actor has expanded into targeting mobile users for profit.
What to do?
The fear now is that other cybercriminals might get their hands on the two toolkits and leverage them to target a larger pool of iOS users.
“The combined attacks now likely affect hundreds of millions of unpatched devices running iOS versions from 13 to 18.6.2,” iVerify researchers noted.
“We strongly recommend updating to iOS 18.7.6 or iOS 26.3.1. This will mitigate all vulnerabilities that have been exploited in these attack chains.”
Google researchers say users that cannot update to either of those should consider enabling Lockdown Mode for enhanced security.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
