DarkSword iOS Exploit Kit Uses 6 Flaws, 3 Zero-Days for Full Device Takeover
DarkSword iOS Exploit Kit Uses 6 Flaws, 3 Zero-Days for Full Device Takeover
Source: The Hacker News
Published: Thu, 19 Mar 2026 09:14:00 GMT
A new exploit kit for Apple iOS devices designed to steal sensitive data from is being wielded by multiple threat actors since at least November 2025, according to reports from Google Threat Intelligence Group (GTIG), iVerify , and Lookout .
According to GTIG, multiple commercial surveillance vendors and suspected state-sponsored actors have utilized the full-chain exploit kit, codenamed DarkSword , in distinct campaigns targeting Saudi Arabia, Turkey, Malaysia, and Ukraine.
The discovery of DarkSword makes it the second iOS exploit kit, after Coruna , to be discovered within the span of a month. The kit is designed to target iPhones running iOS versions between iOS 18.4 and 18.7, and is said to have been deployed by a suspected Russian espionage group named UNC6353 in attacks targeting Ukrainian users.
It's worth noting that UNC6353 has also been linked to the use of the Coruna in attacks aimed at Ukrainians by injecting the JavaScript framework into compromised websites.
"DarkSword aims to extract an extensive set of personal information, including credentials from the device and specifically targets a plethora of crypto wallet apps, hinting at a financially motivated threat actor," Lookout said. "Notably, DarkSword appears to take a 'hit-and-run' approach by collecting and exfiltrating the targeted data from the device within seconds or at most minutes, followed by cleanup."
Exploit chains such as Coruna and DarkSword are engineered to facilitate complete access to a victim's device with little to no interaction required on the part of the user. The findings once again show that there is a second-hand market for exploits that allows threat groups with limited resources and goals not necessarily aligned with cyber espionage to acquire "top-of-the-line exploits" and use them to infect mobile devices.
"The use of both DarkSword and Coruna by a variety of actors demonstrates the ongoing risk of exploit proliferation across actors of varying geography and motivation," GTIG said.
The exploit chain linked to the newly discovered kit makes use of six different vulnerabilities to deploy three payloads, of which CVE-2026-20700, CVE-2025-43529, and CVE-2025-14174 were exploited as zero-days, prior to them being patched by Apple:
Lookout said it discovered DarkSword after an analysis of malicious infrastructure associated with UNC6353, identifying that one of the compromised domains hosted a malicious iFrame element that's responsible for loading a JavaScript to fingerprint devices visiting the site and determine whether the target needs to be routed to the iOS exploit chain. The exact method by which the websites are infected is currently not known.
What made this notable was that the JavaScript was specifically looking for iOS devices running versions between 18.4 and 18.6.2, unlike Coruna, which targeted older iOS versions from 13.0 through 17.2.1.
"DarkSword is a complete exploit chain and infostealer written in JavaScript," Lookout explained. "It leverages multiple vulnerabilities to establish privileged code execution to access sensitive information and exfiltrate it off the device."
As is the case with Coruna, the attack chain begins when a user visits via Safari a web page that embeds the iFrame containing JavaScript. Once launched, DarkSword is capable of breaking the confines of the WebContent sandbox (aka Safari's renderer process) and leveraging WebGPU to inject into mediaplaybackd , a system daemon introduced by Apple to handle media playback functions.
This, in turn, enables the dataminer malware – referred to as GHOSTBLADE – to gain access to privileged processes and restricted parts of the file system. Following a successful privilege escalation, an orchestrator module is used to load additional components that are designed to harvest sensitive data, as well as inject an exfiltration payload into Springboard to siphon the staged information to an external server over HTTP(S).
This includes emails, iCloud Drive files, contacts, SMS messages, Safari browsing history and cookies, cryptocurrency wallet and exchange data, usernames, passwords, photos, call history, Wi-Fi WiFi configuration and passwords, location history, calendar, cellular and SIM information, installed app list, data from Apple apps like Notes and Health, and message histories from apps like Telegram and WhatsApp.
iVerify, in its own analysis of DarkSword, said the exploit chain weaponizes JavaScriptCore JIT vulnerabilities in the Safari renderer process (CVE-2025-31277 or CVE-2025-43529) based on the iOS version to achieve remote code execution via CVE-2026-20700, and then escape the sandbox via the GPU process by taking advantage of CVE-2025-14174 and CVE-2025-43510.
Source
Original report: https://thehackernews.com/2026/03/darksword-ios-exploit-kit-uses-6-flaws.html