DARKSWORD is described as a new iOS exploit kit that has been used since late 2025 by multiple threat actors, including surveillance vendors and likely nation-state actors, to steal data from Apple devices in campaigns targeting Saudi Arabia, Turkey, Malaysia, and Ukraine, according to Lookout. The toolkit enables full-chain attacks to exfiltrate sensitive data, such as credentials and crypto wallet information, before performing a rapid “hit-and-run” exfiltration and then deleting traces.
It targets iPhones running iOS 18.4–18.7 and relies on six vulnerabilities, three of which are zero-days, including CVE-2026-20700 (dyld PAC bypass) and CVE-2025-43529 (JavaScriptCore memory corruption). The iOS kernel and JavaScriptCore flaws in the chain are listed as CVE-2025-43510 and CVE-2025-43520, with CVE-2025-31277 also noted, giving attackers near full device control, according to the report.
The operation is linked to the UNC6353 group, described as largely unknown but Russia-aligned, with infrastructure showing limited obfuscation and AI-assisted code, and it has been observed in campaigns against Ukrainian targets, according to Lookout and GTIG.