In coordinated research published on Wednesday, March 18, 2026, mobile security firm Lookout, Google’s Threat Intelligence Group (GTIG), and iVerify have disclosed a powerful new iOS exploit kit named DarkSword — the second major mass-exploitation campaign targeting iPhones to emerge this month, following the earlier revelation of the Coruna exploit kit on March 3.

DarkSword was first detected in November 2025 by Lookout researchers who were already investigating Coruna. The discovery came when a collaborating researcher flagged a suspicious URL on infrastructure linked to the same Russian-associated threat actor behind Coruna. What they found was a sophisticated, multi-stage exploit framework written entirely in JavaScript, targeting six separate vulnerabilities in Apple’s iOS and capable of completely compromising a device with minimal interaction from the victim.

How the Attack Works: A One-Click Chain

DarkSword operates as a watering hole attack. Attackers first compromise legitimate, trusted websites — in Ukraine, this included a government court website with a .gov.ua address and a Ukrainian news agency — and embed invisible malicious iframes into the HTML of those pages.

When a vulnerable iPhone user visits one of these compromised sites in Safari, the exploit chain triggers automatically with a single click. Unlike a true zero-click attack, the user must visit the page, but no further interaction is required. The attack begins with JavaScript exploiting two JIT (just-in-time compilation) vulnerabilities in WebKit’s JavaScriptCore engine to gain arbitrary memory read/write access. It then pivots through WebGPU to escape Safari’s sandbox, before escalating privileges in the XNU kernel and deploying a final-stage data-exfiltration payload.

Advanced mobile malware has ceased to be a tool wielded solely by governments for espionage and is now in the hands of groups seeking financial gain.

— Justin Albrecht, Global Director of Mobile Threat Intelligence, Lookout

The final payload, dubbed GHOSTBLADE by researchers, is a JavaScript-based orchestrator that injects code into privileged iOS services including Safari, Keychain, iCloud, Wi-Fi, and Springboard. It operates in a “hit-and-run” manner — rapidly collecting and exfiltrating sensitive data within seconds or minutes, then deleting its own files to erase any trace of the intrusion.

What Data Is Stolen

DarkSword’s data-stealing modules are comprehensive. Researchers confirmed the exploit chain is capable of exfiltrating:

  • SMS messages, iMessages, WhatsApp and Telegram histories
  • Saved passwords and Keychain credentials
  • iCloud files, notes, and photos
  • Wi-Fi credentials and call logs
  • Cryptocurrency wallet data and keys
  • Browser history and signed-in account data
  • Device location history

Notably, unlike the earlier Coruna exploit kit, DarkSword specifically targets cryptocurrency wallets — a capability that suggests UNC6353 may be financially motivated in addition to conducting Russian intelligence-aligned espionage, according to Lookout’s assessment.

The Six Vulnerabilities Behind DarkSword

DarkSword chains together six CVEs in sequence, each building on the access granted by the previous stage:

CVE Component Role in Chain Patched
CVE-2025-31277 JavaScriptCore (JIT) Memory read/write primitives Dec 2025
CVE-2025-43529 JavaScriptCore (JIT) Memory read/write primitives Dec 2025
CVE-2026-20700 TPRO / PAC bypass Arbitrary code execution in WebContent Feb 2026 (zero-day)
CVE-2025-14174 ANGLE (WebGPU) Sandbox escape via GPU process Dec 2025
CVE-2025-43510 XNU Kernel / mediaplaybackd Copy-on-write for kernel memory access Prior to iOS 26.3
CVE-2025-43520 XNU Kernel Full kernel privilege escalation Prior to iOS 26.3

Google reported all six vulnerabilities to Apple in late 2025. All have now been patched, with iOS 26.3 completing the final set of fixes. However, iVerify estimates that approximately 14.2% of active iPhone users — around 221 million devices — are still running iOS versions between 18.4 and 18.6.2 and remain vulnerable.

Multiple Threat Actors, Broader Global Reach

While the Ukraine campaign attracted the most attention due to its links to Russian intelligence, Google’s GTIG found that DarkSword had been acquired and deployed by multiple distinct threat actors since November 2025 — a pattern consistent with the growing commercialization of mobile exploit kits.

UNC6353 — Ukraine

A suspected Russian threat actor previously linked to Coruna. Used DarkSword in watering hole attacks on Ukrainian government and media sites. Targeted iOS 18.4–18.6.2. Assessed to pursue both espionage and financial objectives.

UNC6748 — Saudi Arabia

Used DarkSword via a Snapchat-themed lure site targeting Saudi users in November 2025. Deployed GhostKnife, a backdoor capable of audio recording, location tracking, and screenshot capture.

PARS Defense — Turkey & Malaysia

A Turkish commercial surveillance vendor observed using DarkSword with iOS 18.4–18.7 support. Deployed GHOSTSABER, a JavaScript backdoor with data exfiltration and remote code execution capabilities.

Others — Likely Ongoing

Google assesses it is likely that additional commercial surveillance vendors and threat actors have acquired and are using DarkSword in campaigns not yet documented by researchers.

One of the most striking findings highlighted by researchers is the apparent use of large language model (LLM)-assisted coding in DarkSword’s codebase. Lookout noted that unlike most professional malware, DarkSword’s JavaScript code is entirely unobfuscated and contains explanatory comments consistent with AI-generated code — a sign of what researchers call the emerging “malware-as-a-service” commoditization of advanced exploit tools.

Low-level criminals and non-sophisticated actors can now get access to advanced exploit tools, mirroring the rise of the malware-as-a-service and ransomware-as-a-service economies.

— iVerify Research Team

Connection to Coruna and the Exploit Supply Chain

DarkSword was discovered through infrastructure shared with the Coruna exploit kit — the first mass iOS exploitation campaign disclosed earlier this month. The reuse of infrastructure by UNC6353 for both campaigns, combined with the poor operational security observed by researchers (unobfuscated code, plaintext server labels reading “Dark sword file receiver”), suggests that DarkSword may have been commercially acquired rather than developed in-house.

The infiltration server’s code contained comments written in Russian, while the exploit codebase itself used English variable names and deployment instructions — consistent with a scenario where a developer and an operator are different entities, and the exploit was independently purchased on a secondary market.

What iPhone Users Should Do Now

Recommended Actions

  • Update to iOS 26.3.1 — the latest iOS release, which patches all six DarkSword CVEs. This is the most critical step for all eligible users.
  • If on iOS 18 only: Update to iOS 18.7.6 at minimum. iVerify confirms iOS 18.7 is safe from the observed exploit configurations. Apple may backport further fixes for older hardware, but this has not been confirmed.
  • Enable Lockdown Mode — available since iOS 16, this significantly restricts attack surfaces for high-risk users such as journalists, activists, and government officials.
  • Check your device — iVerify is offering its iVerify Basic app for free until May 2026. Users can scan for DarkSword infections using the threat hunting feature. MVT and forensic tools can also detect indicators via Safari’s browser history and WebKit databases, which DarkSword does not erase.
  • Organizations should immediately remove devices running iOS 18.6.2 or earlier from sensitive operations and retire hardware that cannot be updated.

Industry Response

All three research organizations have been in active contact with Apple throughout the investigation. Google’s GTIG, which began investigating DarkSword in late 2025, has added all known DarkSword delivery domains to Google’s Safe Browsing service. Apple has patched all six underlying CVEs across recent iOS releases, with iOS 26.3 completing the final set of fixes. Apple did not issue a public statement in response to researcher inquiries at time of publication.

Google noted in its blog that the proliferation of DarkSword across multiple unrelated threat actors — from nation-state espionage groups to commercial surveillance vendors to financially motivated criminals — reflects a deepening structural problem in the mobile security landscape, one that mirrors the industrialization of ransomware seen in the PC ecosystem over the past decade. Google stated its continued participation in the Pall Mall Process, an international initiative aimed at establishing norms to limit the misuse of commercial spyware.

For most users, the message is simple: update your iPhone today.