Full Report
The kit, named Darksword, has a variety of possible implications, the research from iVerify, Lookout and Google suggests. The post Second iOS exploit kit emerges from suspected Russian hackers using possible U.S. government-developed tools appeared first on CyberScoop.
Analysis Summary
# Threat Actor: UNC6353
## Attribution & Identity
- **Name/Alias:** UNC6353 (Google attribution), "Darksword" group.
- **Identity:** A Russian-backed espionage group.
- **Associations:**
- Linked to the authors of the "Coruna" exploit kit.
- Demonstrates links to Russian state interests, with tactical overlaps (targeting crypto) previously seen in Sandworm/GRC operations (e.g., Infamous Chisel).
- Uses exploits suspected to have been originally developed for or by the U.S. government (repurposed tools).
## Activity Summary
UNC6353 has been identified deploying **Darksword**, the second "mass" iOS exploit kit discovered recently. This follows the discovery of the "Coruna" kit. Both campaigns involve exploiting iOS devices to exfiltrate highly sensitive data. The group is using command and control (C2) infrastructure shared with previous Russian campaigns but operating a distinct kit.
## Tactics, Techniques & Procedures
- **Exploitation Path:** Compromising Apple’s WebKit, then using WebGPU as a pivot point for sandbox escapes.
- **AI Integration:** Use of Large Language Models (LLMs) to customize and optimize exploit code.
- **Data Exfiltration:** Capable of stealing saved passwords, cryptocurrency wallets, and text messages.
- **Operational Security (OPSEC):** Surprisingly poor for a sophisticated actor; the kit included non-obfuscated JavaScript/HTML and used blatant naming conventions (e.g., "Dark sword file receiver").
- **Supply Chain/Repurposing:** Sourcing and repurposing leaked or secondary-market government-grade exploits.
## Targeting
- **Sectors:** Private individuals (iPhone users), cryptocurrency holders, and military/intelligence targets (via surveillance).
- **Geography:** Primarily Ukraine; however, the kit's scope is global.
- **Victims:** Up to 270 million iPhone users globally are potentially susceptible; specifically, approximately 15% of iOS devices running iOS 18 or earlier.
## Tools & Infrastructure
- **Malware Families:**
- **Darksword:** iOS exploit kit focused on surveillance and financial theft.
- **Coruna:** Predecessor iOS exploit kit.
- **Infrastructure:** Hosted on the same C2 infrastructure as Coruna.
- **Exploited Features:** Apple WebKit and WebGPU.
## Implications
- **Hybrid Motivations:** The group exhibits a "Swiss Army knife" approach, blending traditional espionage (surveillance, pattern of life analysis) with financial crime (crypto theft), possibly to fund state operations amidst sanctions.
- **Mobile Migration:** Signals a strategic shift of advanced persistent threats (APTs) toward mobile platforms as they become primary internet gateways.
- **Secondary Exploit Market:** Highlights the danger of "leaked" government tools being democratized by opportunistic threat actors.
- **Global Scale:** Unlike targeted Pegasus-style attacks, this is a "mass" campaign capable of affecting millions of users.
## Mitigations
- **Patch Management:** Users must update to the latest iOS versions immediately. Devices on iOS 18 or earlier remain vulnerable to the WebKit/WebGPU pivot.
- **Mobile Threat Defense (MTD):** Employing mobile-specific security solutions (like iVerify or Lookout) to detect sandbox escapes and unauthorized data exfiltration.
- **Reduced Surface Area:** Disabling unnecessary experimental browser features (like WebGPU) if not required for business operations.
- **Hardware Security:** Transitioning to newer iPhone hardware that supports advanced Lockdown Mode and memory protection features.