Zero-Day Blitz: DarkSword iOS Exploit Kit Slices Through Apple Defenses Worldwide

In the shadowy marketplace of digital espionage, a fresh weapon has emerged - one that slices through even the latest Apple defenses. Dubbed "DarkSword," this sophisticated iOS exploit kit is turning the tables on iPhone security, enabling hackers and surveillance vendors to seize control of targeted devices in seconds. Investigators warn that, with just a single visit to a compromised webpage, victims can have their most sensitive data spirited away - no clicks required.

Fast Facts

• DarkSword exploits six iOS vulnerabilities - including three zero-days - targeting iOS 18.4 to 18.7.
• Used by multiple actors, including suspected Russian and Turkish groups, to steal credentials, crypto wallets, and personal data.
• Attack chain requires no user interaction: visiting a booby-trapped website is enough for full compromise.
• Data exfiltration and cleanup occur within minutes, with no persistent spyware left behind.
• Operational security mistakes by attackers led to the kit’s discovery by researchers.

The Anatomy of a Hit-and-Run iPhone Hack

First spotted in late 2025 by Google’s Threat Intelligence Group, iVerify, and Lookout, DarkSword has quickly become a top-tier weapon for both commercial surveillance vendors and state-aligned threat actors. Its reach is global, with documented attacks in Ukraine, Saudi Arabia, Turkey, and Malaysia. The kit is particularly alarming for its use of three previously unknown zero-day vulnerabilities - flaws that Apple had no time to patch before they were exploited in the wild.

DarkSword’s attack unfolds as a seamless chain: a victim visits a compromised website (often via Safari), triggering a hidden JavaScript iFrame. This code profiles the device and, if deemed vulnerable, launches a barrage of exploits targeting the Safari renderer, GPU, and iOS kernel. Within seconds, the malware achieves privileged access, deploying its "GHOSTBLADE" dataminer to siphon off everything from emails and photos to cryptocurrency wallets and messaging app histories. Once the data is sent to an external server, DarkSword erases its tracks, vanishing without a trace.

Unlike traditional spyware, DarkSword doesn’t linger for ongoing surveillance. Its rapid, one-shot approach suggests financially motivated actors - especially as it zeroes in on crypto wallets. Yet, its use in politically sensitive regions also hints at espionage. Analysts note that DarkSword is not the work of a lone genius: its modular, professionally written code is designed for easy updates and mass deployment, even by actors lacking deep technical expertise.

Investigators have linked the kit to at least three threat groups, including a Russian-aligned entity known as UNC6353 and a Turkish surveillance vendor. In some campaigns, attackers used themed lures - like fake Snapchat sites - to entice victims. The kit’s discovery was made possible only because its creators failed to properly hide their tracks, exposing the infrastructure and code to security teams.

What’s Next for iPhone Security?

The rise of DarkSword - and its predecessor, Coruna - underscores a troubling trend: premium iOS exploit chains are now for sale, lowering the barrier for would-be hackers and spies. With hundreds of millions of devices potentially at risk, the question isn’t just how Apple will respond, but how the shadow market for mobile 0-days will evolve. For users, timely updates and vigilance remain the only real shields in an increasingly hostile digital landscape.

WIKICROOK

• Zero: A zero-day vulnerability is a hidden security flaw unknown to the software maker, with no fix available, making it highly valuable and dangerous to attackers.
• Exploit Chain: An exploit chain is a series of linked vulnerabilities that attackers use together to breach a system, bypassing security through multiple steps.
• Privilege Escalation: Privilege escalation occurs when an attacker gains higher-level access, moving from a regular user account to administrator privileges on a system or network.
• Watering Hole Attack: A Watering Hole Attack is when hackers infect trusted websites to target specific users, spreading malware to visitors without their knowledge.
• Operational Security (OPSEC): Operational Security (OpSec) is the practice of protecting sensitive information and activities from being discovered or exploited by adversaries.