According to reports from **Google Threat Intelligence Group** (GTIG), **iVerify**, and **Lookout**, **DarkSword** has been leveraged in campaigns targeting **Saudi Arabia**, **Turkey**, **Malaysia**, and **Ukraine** since at least November 2025. Multiple commercial surveillance vendors and suspected state-sponsored actors are believed to be involved. ### DarkSword vs. Coruna The emergence of **DarkSword** marks the second iOS exploit kit discovered in recent times, following **Coruna**. Unlike **Coruna**, which targeted older iOS versions, **DarkSword** focuses on iPhones running iOS versions between 18.4 and 18.7. It has been linked to a suspected Russian espionage group named UNC6353, which is also associated with the use of **Coruna** in attacks against Ukrainian users. ### Financially Motivated Threat "**DarkSword** aims to extract an extensive set of personal information, including credentials from the device and specifically targets a plethora of crypto wallet apps, hinting at a financially motivated threat actor," **Lookout** stated. The kit's rapid data exfiltration and cleanup process further distinguish it from traditional spyware. ### Exploit Chain Details Like **Coruna**, **DarkSword** employs an exploit chain to gain complete access to a victim's device with minimal user interaction. This highlights the growing market for exploits, enabling threat groups with limited resources to acquire sophisticated tools. GTIG emphasizes the ongoing risk of exploit proliferation across diverse actors. The **DarkSword** exploit chain utilizes six different vulnerabilities, including three zero-days at the time of discovery: * **CVE-2025-31277** - Memory corruption vulnerability in JavaScriptCore (Patched in version 18.6) * **CVE-2026-20700** - User-mode Pointer Authentication Code (PAC) bypass in dyld (Patched in version 26.3) * **CVE-2025-43529** - Memory corruption vulnerability in JavaScriptCore (Patched in versions 18.7.3 and 26.2) * **CVE-2025-14174** - Memory corruption vulnerability in ANGLE (Patched in versions 18.7.3 and 26.2) * **CVE-2025-43510** - Memory management vulnerability in the iOS kernel (Patched in versions 18.7.2 and 26.1) * **CVE-2025-43520** - Memory corruption vulnerability in the iOS kernel (Patched in versions 18.7.2 and 26.1) ### Infection Vector and Data Exfiltration **Lookout** discovered **DarkSword** through analysis of malicious infrastructure linked to UNC6353. Compromised domains hosted malicious iFrames that fingerprint devices and redirect targets to the iOS exploit chain. The specific website infection method remains unknown.  The JavaScript code targets iOS devices running versions between 18.4 and 18.6.2. Once launched, **DarkSword** bypasses the WebContent sandbox and leverages WebGPU to inject into mediaplaybackd, a system daemon for media playback. This allows the dataminer malware, GHOSTBLADE, to access privileged processes and restricted parts of the file system. It then loads additional components to harvest sensitive data and injects an exfiltration payload into Springboard to siphon information to an external server over HTTP(S). ### Data Targeted The exploit targets a comprehensive range of data, including: * Emails * iCloud Drive files * Contacts * SMS messages * Safari browsing history and cookies * Cryptocurrency wallet and exchange data * Usernames and passwords * Photos * Call history * Wi-Fi configuration and passwords * Location history * Calendar data * Cellular and SIM information * Installed app list * Data from Apple apps like Notes and Health * Message histories from apps like Telegram and WhatsApp  ### Technical Analysis **iVerify**'s analysis indicates that **DarkSword** exploits JavaScriptCore JIT vulnerabilities (CVE-2025-31277 or CVE-2025-43529) for remote code execution via CVE-2026-20700. It then escapes the sandbox through the GPU process using CVE-2025-14174 and CVE-2025-43510. A kernel privilege escalation flaw (**CVE-2025-43520**) grants arbitrary read/write and function call capabilities inside mediaplaybackd, enabling the execution of injected JavaScript code. **Lookout** describes the malware as a sophisticated, professionally designed platform with maintainability, long-term development, and extensibility in mind. ### Ported from Older Versions Analysis of **DarkSword**'s JavaScript files reveals references to iOS versions 17.4.1 and 17.5.1, suggesting a port from an earlier version targeting older operating systems. Unlike persistent surveillance tools, **DarkSword** focuses on rapid data theft, highlighting the evolving landscape of iOS threats.