www.lookout.com
DarkSword iOS Exploit Chain Targets Mobile Devices Globally
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
The Google Threat Intelligence Group has identified DarkSword, a full-chain iOS exploit affecting versions 18.4 to 18.7. This exploit leverages multiple zero-day vulnerabilities, including CVE-2025-31277 and CVE-2025-14174, to compromise devices and deploy malware families like GHOSTBLADE. DarkSword has been linked to various threat actors, including the suspected Russian group UNC6353, which has targeted users in Saudi Arabia, Turkey, Malaysia, and Ukraine since November 2025. The exploit aims to extract sensitive information, particularly from crypto wallet apps, and operates with a 'hit-and-run' approach. All vulnerabilities exploited by DarkSword were reported to Apple and patched with the release of iOS 26.3. Users are advised to update their devices or enable Lockdown Mode for enhanced security. Lookout and iVerify collaborated with GTIG on this investigation, highlighting the growing sophistication of mobile threats.
Key Points: • DarkSword exploits multiple zero-day vulnerabilities in iOS versions 18.4 to 18.7. • The exploit is linked to state-sponsored actors, specifically UNC6353, targeting sensitive data. • Users are urged to update to iOS 26.3 or enable Lockdown Mode to mitigate risks.