DarkSword Exploit Chain Hits iPhones Running iOS 18.4 to 18.7

A sophisticated iOS exploit chain called DarkSword is being deployed by multiple threat actors - including suspected Russian operators - to steal cryptocurrency wallets, credentials, and private communications from iPhones running iOS 18.4 through 18.7.

Lookout Security and Google's Threat Intelligence team independently documented DarkSword's capabilities after observing campaigns targeting users in Saudi Arabia, Turkey, Malaysia, and Ukraine since at least November 2025. The framework has proliferated rapidly among both commercial surveillance vendors and state-sponsored groups.

Six CVEs, One Complete Compromise

DarkSword isn't a single vulnerability - it's a full exploit chain combining six separate flaws to achieve privileged code execution:

• CVE-2025-31277
• CVE-2025-43529
• CVE-2026-20700
• CVE-2025-14174
• CVE-2025-43510
• CVE-2025-43520

The chain is written entirely in JavaScript and requires only that a victim visit a malicious website. No app installation, no user confirmation. The exploit works against millions of devices running the affected iOS versions.

Hit-and-Run Data Theft

What makes DarkSword particularly dangerous is its "hit-and-run" approach. Rather than establishing persistent access, the framework rapidly exfiltrates high-value data within minutes and then erases its presence to evade forensic detection.

The stolen data includes:

Identity and Communications

• SMS and iMessage history
• WhatsApp and Telegram messages
• Email content
• Saved credentials from the keychain

Corporate and Personal Data

• iCloud files and documents
• Notes
• Photos
• Cryptocurrency wallet data

Device Intelligence

• WiFi network credentials
• Location history
• Call logs

The cryptocurrency wallet theft component reflects the broader infostealer trend we've tracked throughout 2026, where financial data extraction has become a priority target.

Multiple Actors, Shared Toolkit

Google's Threat Analysis Group linked one DarkSword campaign to UNC6353, a suspected Russian threat actor. This same group previously deployed the Coruna exploit chain disclosed earlier this month.

But UNC6353 isn't operating alone. Commercial surveillance vendors have integrated DarkSword into their offerings, expanding the threat beyond state-sponsored operations. The toolkit's availability across multiple actor types suggests either direct sharing or a common origin point selling to diverse customers.

The geographic spread of victims - spanning the Middle East, Southeast Asia, and Eastern Europe - indicates varied targeting priorities among the different operators.

Why iOS Exploits Matter

iOS devices have historically represented a harder target for attackers, making exploit chains like DarkSword particularly valuable and dangerous. Apple's security model assumes the device remains uncompromised, meaning successful exploitation bypasses most enterprise mobile security controls.

For organizations allowing personal device usage for work, the Apple zero-day threat we covered previously demonstrated how mobile exploits can bridge into corporate environments. DarkSword extends this concern by specifically harvesting enterprise-relevant data like email and credentials.

Immediate Protection Steps

iPhone users should take immediate action:

1. Update to iOS 26.3.1 - Apple's latest release patches the vulnerabilities in DarkSword's chain
2. Enable Lockdown Mode - Users at high risk of targeted attacks should activate this feature through Settings > Privacy & Security
3. Review device access - Check for unfamiliar app installations or permission grants
4. Audit cryptocurrency holdings - If you've been on an affected iOS version, verify wallet balances and consider rotating keys

Organizations with mobile device management should prioritize pushing the iOS update to corporate devices and enforcing minimum version requirements.

Frequently Asked Questions

How do I know if my iPhone was compromised?

DarkSword's hit-and-run design makes detection difficult - it doesn't persist after exfiltrating data. If you've visited unfamiliar websites while running iOS 18.4-18.7, assume potential exposure and change critical credentials, especially for cryptocurrency wallets.

Are Android devices affected?

No. DarkSword specifically targets iOS through vulnerabilities in Apple's implementation. Android users face separate threats, though similar exploit chain attacks targeting Android continue to emerge.

Organizations monitoring for lookalike domains targeting their brand can use tools like Greyphish to detect potential phishing infrastructure before it reaches employees.