SECURITYWEEK reports that the DarkSword iOS exploit kit, written in JavaScript, is used by state-sponsored hackers and commercial spyware vendors and targets six iOS vulnerabilities to achieve full device compromise with minimal user interaction.
According to Lookout, the chain begins with Safari exploits, then sandbox escapes, and moves to kernel flaws for privilege escalation and final payload execution, with observed attacks via malicious iframes on News of Donbas and the Seventh Administrative Court of Appeals in Vinnytsia. The six targeted flaws include CVE-2025-31277, CVE-2025-43529, CVE-2025-14174, CVE-2025-43510, CVE-2025-43520 and CVE-2026-20700, the latter linked to TP Read-Only and PAC bypass and was patched in February as a zero-day.
The exploit is linked to UNC6353, a Russian state-sponsored group, and was used against Ukraine, with Google, iVerify and iVerify noting that DarkSword has also been used by commercial surveillance vendors, including one tracked as UNC6748, in campaigns targeting Saudi Arabia, Turkey and Malaysia.
Security researchers warn that hundreds of millions of devices may remain exposed, with iVerify estimating 14.2% of users (approximately 221,520,000 devices) on iOS 18.4–18.6.2 vulnerable, and around 18.99% (296,244,000) possibly affected across iOS 18 versions, urging updates to iOS 26.3.1 and 18.7.6.