"The exploit kit, called DarkSword, has been in use since at least November 2025. It supports iOS versions 18.4 through 18.7, and exploits six different vulnerabilities to deploy three different backdoors that steal a ton of personal information, including messages, recordings, location history, signed-in accounts, cryptocurrency wallet data, and more."
"In coordinated research published Wednesday, Google, iVerify, and Lookout analyzed the malware and noted that this is the second time this month that they've spotted disparate criminal groups using a single iOS exploit kit to spy on iPhone users. The earlier exploit framework is called Coruna, and one of the earlier groups abusing Coruna - a suspected Russian espionage crew tracked as UNC6353 - has also been using DarkSword in its watering hole campaigns targeting Ukrainians."
"The attack requires an iPhone user to navigate to a malicious website to trigger the exploit chain. It begins with miscreants exploiting either CVE-2025-31277 or CVE-2025-43529 - depending on the iOS version - to achieve remote code execution, according to iVerify's analysis."
DarkSword is an exploit kit active since November 2025 that targets iPhone users running iOS versions 18.4 through 18.7. It exploits six different vulnerabilities to deploy three backdoors capable of stealing sensitive personal data including messages, recordings, location history, signed-in accounts, and cryptocurrency wallet information. Multiple spyware vendors and suspected nation-state actors are abusing this kit. This represents the second iOS exploit kit discovered this month being used by disparate criminal groups, following the Coruna framework. Russian espionage group UNC6353 has deployed DarkSword in watering hole campaigns targeting Ukrainians. All six vulnerabilities have been patched, and users are advised to update to the latest iOS release.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]