Full Report
A new exploit kit for Apple iOS devices designed to steal sensitive data from is being wielded by multiple threat actors since at least November 2025, according to reports from Google Threat Intelligence Group (GTIG), iVerify, and Lookout. According to GTIG, multiple commercial surveillance vendors and suspected state-sponsored actors have utilized the full-chain exploit kit, codenamed DarkSword
Analysis Summary
# Tool/Technique: DarkSword
## Overview
DarkSword is a sophisticated "full-chain" iOS exploit kit and infostealer. It is designed to facilitate complete device takeover with minimal to no user interaction (zero-click/one-click capabilities). Discovered in early 2026, it has been utilized by commercial surveillance vendors (CSVs) and state-sponsored actors for cyber espionage and financially motivated data exfiltration. Unlike many mobile exploits that persist for long periods, DarkSword follows a "hit-and-run" philosophy, exfiltrating data within minutes and performing immediate cleanup to avoid detection.
## Technical Details
- **Type:** Exploit Kit | Infostealer
- **Platform:** Apple iOS (Versions 18.4 through 18.7)
- **Capabilities:** Device fingerprinting, privileged code execution, credential theft, cryptocurrency wallet hijacking, and rapid data exfiltration.
- **First Seen:** November 2025
## MITRE ATT&CK Mapping
- **[TA0027 - Reconnaissance]**
- [T1592 - Gather Victim Host Information (Fingerprinting via JS)]
- **[TA0002 - Execution]**
- [T1203 - Exploitation for Client Execution]
- [T1059.007 - Command and Scripting Interpreter: JavaScript]
- **[TA0004 - Privilege Escalation]**
- [T1068 - Exploitation for Privilege Escalation (Kernel Exploits)]
- **[TA0006 - Credential Access]**
- [T1641 - Exploitation for Credential Access]
- **[TA0010 - Exfiltration]**
- [T1041 - Exfiltration Over C2 Channel]
- **[TA0005 - Defense Evasion]**
- [T1070 - Indicator Removal (Hit-and-run cleanup)]
## Functionality
### Core Capabilities
- **Browser-Based Trigger:** Deployed via malicious iFrames on compromised websites that execute JavaScript to fingerprint the target.
- **Data Theft:** Automatically extracts system credentials and personal sensitive information.
- **Crypto Targeting:** Specifically scans for and loots numerous cryptocurrency wallet applications.
- **Full Chain Exploitation:** Combines 6 distinct vulnerabilities to move from a sandbox escape to kernel-level privileges.
### Advanced Features
- **Zero-Day Integration:** Utilized three previously unknown vulnerabilities (CVE-2026-20700, CVE-2025-43529, and CVE-2025-14174) at the time of initial deployment.
- **PAC Bypass:** Features a sophisticated bypass for User-mode Pointer Authentication Code (PAC), a core iOS security feature.
- **Non-Persistent/Ephemeral Operations:** Designed to exfiltrate targeted data within seconds or minutes and then "self-clean" to leave no forensic footprint.
## Indicators of Compromise
- **File Hashes:** Specific hashes not provided in the report; the malware is primarily resident in memory/JavaScript.
- **Network Indicators:**
- `[compromised_domains_hosing_iframes].com` (Defanged)
- `[C2_infrastructure_linked_to_UNC6353].net` (Defanged)
- **Behavioral Indicators:**
- Unexpected outbound connections to unknown IPs immediately following website visits via Safari/Webkit.
- Identification of the malicious iFrame element responsible for device fingerprinting.
## Associated Threat Actors
- **UNC6353:** A suspected Russian espionage group.
- **Commercial Surveillance Vendors (CSVs):** Various unnamed commercial entities selling to state clients.
- **State-Sponsored Actors:** Targeting users in Saudi Arabia, Turkey, Malaysia, and Ukraine.
## Detection Methods
- **Signature-based:** Detection of known JavaScript exploit patterns and fingerprinting scripts used by DarkSword.
- **Behavioral:** Monitoring for rapid, unauthorized access to keychain and crypto-wallet directories.
- **Heuristic:** Identifying the "hit-and-run" logic where a process initiates high-volume exfiltration followed by immediate deletion of logs or temporary files.
## Mitigation Strategies
- **Patch Management:** Update iOS devices to version 18.7.3 or higher (and version 26.x equivalents for newer hardware) immediately to patch the six underlying vulnerabilities.
- **Lockdown Mode:** Enable iOS Lockdown Mode for high-risk individuals to reduce the web-based attack surface.
- **Web Filtering:** Block known malicious domains and infrastructure associated with UNC6353.
## Related Tools/Techniques
- **Coruna:** Another high-profile iOS exploit kit discovered recently, though it targets older iOS versions (13.0 - 17.2.1).
- **Pegasus / Predator:** Similar commercial-grade surveillance tools utilizing full-chain mobile exploits.