Reports from Google Threat Intelligence Group (GTIG), iVerify, and Lookout say that since at least November 2025, several threat actors have been using a new exploit kit for Apple iOS devices to steal sensitive data. GTIG says that several commercial surveillance companies and suspected state-sponsored actors have used the full-chain exploit kit, codenamed DarkSword, in different campaigns against Saudi Arabia, Turkey, Malaysia, and Ukraine. DarkSword is the second iOS exploit kit to be found in a month, after Coruna.
The kit is meant to work with iPhones that have iOS versions between 18.4 and 18.7. It is said that a group of suspected Russian spies called UNC6353 used it to attack Ukrainian users.
It's important to note that UNC6353 has also been linked to the use of the Coruna in attacks on Ukrainians that involved injecting the JavaScript framework into hacked websites. Once it starts, DarkSword can break out of the WebContent sandbox (also known as Safari's renderer process) and use WebGPU to get into mediaplaybackd, a system daemon that Apple made to handle media playback tasks. This, in turn, lets the dataminer malware, known as GHOSTBLADE, get to privileged processes and parts of the file system that are normally off-limits.
After a successful privilege escalation, an orchestrator module is used to load more components that are meant to steal sensitive data and inject an exfiltration payload into Springboard to send the staged information to an external server over HTTP(S). This includes emails, files on iCloud Drive, contacts, SMS messages, browsing history and cookies from Safari, cryptocurrency wallet and exchange data, usernames and passwords, photos, call history, Wi-Fi configuration and passwords, location history, calendar, cellular and SIM information, a list of installed apps, data from Apple apps like Notes and Health, and message histories from apps like Telegram and WhatsApp.
iVerify's own study of DarkSword found that the exploit chain uses JavaScriptCore JIT vulnerabilities in the Safari renderer process (CVE-2025-31277 or CVE-2025-43529) to run code remotely (CVE-2026-20700) and then escape the sandbox through the GPU process by taking advantage of CVE-2025-14174 and CVE-2025-43510.
The fact that DarkSword code is completely open, that the HTML for the iframes is also open, and that the DarkSword File Receiver is so simple and obviously named makes us think that UNC6353 may not have access to strong engineering resources or is not worried about taking the right OPSEC steps." Google said that the use of DarkSword by UNC6353 in December 2025 only worked on iOS versions 18.4 to 18.6, and that the use of DarkSword by UNC6748 and PARS Defense also targeted iOS devices running version 18.iVerify said, "For the second time in a month, threat actors have used waterhole attacks to go after iPhone users."
"Notably, neither of these attacks was directed at a specific person. The combined attacks now affect hundreds of millions of iOS devices that haven't been updated and are running versions 13 to 18.6.2. "In both cases, the tools were found because of major operational security (OPSEC) failures and carelessness in how the iOS offensive capabilities were set up.
These recent events raise a number of important questions: How big and well-equipped is the market for iOS 0-day and n-day exploits for iOS devices?
