A sophisticated exploit framework called DarkSword has been actively targeting iPhones running iOS 18.4 through 18.7 since November 2025, stealing sensitive information including cryptocurrency wallet data. The attack chain leverages six known vulnerabilities already patched by Apple, delivering three distinct malware families: GHOSTBLADE dataminer, GHOSTKNIFE backdoor, and GHOSTSABER JavaScript backdoor. Multiple threat actors have utilized this framework, including suspected Russian espionage group UNC6353 and Turkish commercial surveillance vendor PARS Defense.
The attacks begin when victims visit compromised websites containing malicious iframes, triggering exploits in Safari that achieve kernel read-write access. A main orchestrator component then injects a JavaScript engine into privileged iOS services including App Access, Wi-Fi, Springboard, Keychain, and iCloud. Data-stealing modules subsequently harvest saved passwords, photos, WhatsApp and Telegram databases, SMS messages, call history, location data, and credentials from cryptocurrency wallets including Coinbase, Binance, and Ledger.
Researchers from Lookout, Google Threat Intelligence Group, and iVerify collaborated on the analysis, noting that DarkSword exhibits signs of LLM-assisted development with extensive code comments. The framework appears professionally designed for maintainability and rapid module development rather than long-term surveillance, as it wipes temporary files and exits after exfiltrating data. Targets have included users in Saudi Arabia via Snapchat-impersonating websites, Turkish victims, Malaysian targets, and Ukrainian victims through watering hole attacks on compromised sites.
Apple has addressed all exploited vulnerabilities in iOS 26.3.1 released earlier this month. Users at elevated risk are advised to enable Lockdown Mode for additional protection, while those on unsupported devices await potential backported fixes. The framework represents a significant evolution in iOS exploitation capabilities, combining one-click delivery with comprehensive data theft functionality across multiple threat actors with diverse operational objectives.
Read more...