Full Report
A new exploit kit for iOS devices and delivery framework dubbed "Darksword" has been used to steal a wide range of personal information, including data from cryptocurrency wallet app. [...]
Analysis Summary
# Vulnerability: Darksword iOS Exploit Kit
## CVE Details
The Darksword exploit kit utilizes a chain of multiple documented vulnerabilities:
- **CVE IDs:**
- CVE-2025-31277
- CVE-2025-43529
- CVE-2026-20700
- CVE-2025-14174
- CVE-2025-43510
- CVE-2025-43520
- **CVSS Score:** Not explicitly listed, but involves kernel-level privilege escalation (typically Critical/High).
- **CWE:** Type Confusion, Use-After-Free (UAF), Out-of-Bounds (OOB) Write, Copy-on-Write (CoW) kernel bugs.
## Affected Systems
- **Products:** Apple iOS devices (iPhones).
- **Versions:** iOS 18.4 through 18.6.2.
- **Configurations:** Devices accessing malicious websites via the Safari browser.
## Vulnerability Description
Darksword is a sophisticated "1-click" exploit framework that targets the Safari browser to achieve a sandbox escape. Once the browser is compromised, the chain utilizes multiple kernel-level vulnerabilities (Type Confusion and UAF) to gain kernel read/write access.
The attack is managed by a main orchestrator component (`pe_main.js`), which injects a JavaScript engine into high-privilege iOS services. These services include **Springboard, Keychain, iCloud, Wi-Fi, and App Access**. The framework is modular, allowing for rapid deployment of data-exfiltration plugins designed to steal sensitive information directly from secure enclaves and databases.
## Exploitation
- **Status:** Exploited in the wild (attributed to threat actor UNC6353).
- **Complexity:** Medium (Requires user to click a link/visit a compromised site).
- **Attack Vector:** Network (Web-based via Safari).
## Impact
- **Confidentiality:** High (Exfiltration of Keychain, photos, messages, crypto wallets, and location).
- **Integrity:** High (Execution of code in privileged services).
- **Availability:** Medium (The malware wipes temporary files and exits after exfiltration rather than causing permanent bricking).
## Remediation
### Patches
- Users should update to **iOS 19.3.1** (or the latest available version mentioned in the disclosure timeline).
- Confirm all security updates for iOS 18.x series are applied if the device cannot upgrade to a newer major version.
### Workarounds
- **Lockdown Mode:** High-risk individuals should enable Apple’s "Lockdown Mode" to restrict the Safari attack surface.
- **Alternative Browsers:** While many iOS browsers use WebKit, avoiding suspicious links from untrusted sources (SMS, Telegram, etc.) reduces the "1-click" risk.
## Detection
### Indicators of Compromise
- **Injected Iframes:** Malicious iframes embedded in compromised legitimate websites (e.g., Ukraine government sites).
- **File Artifacts:** Presence of `pe_main.js` in browser memory or temporary caches.
- **Network Traffic:** Data exfiltration to known C2 infrastructure associated with UNC6353 and the Coruna exploit kit.
### Detection Methods and Tools
- **iVerify:** Mentioned as a collaborator in detecting these specific flaws.
- **Lookout Threat Labs:** Mobile Endpoint Security tools can detect the behavioral anomalies associated with the JavaScript engine injection.
## References
- **Lookout Threat Labs Report:** hxxps[://]www[.]lookout[.]com/blog/darksword
- **iVerify Analysis:** hxxps[://]iverify[.]io/blog/darksword-ios-exploit-kit-explained
- **BleepingComputer:** hxxps[://]www[.]bleepingcomputer[.]com/news/security/new-darksword-ios-exploit-used-in-infostealer-attack-on-iphones/