Security Researchers Uncover Darksword, a Sophisticated iOS Exploit Kit
Security researchers from iVerify, Lookout, and Google's Threat Intelligence Group (GTIG) have revealed the discovery of a highly sophisticated new hacking tool named Darksword, designed to steal personal data from iPhones. This exploit kit poses a significant risk to users, particularly those with outdated devices, as it leverages vulnerabilities in Apple's iOS operating system to gain unauthorized access and extract sensitive information.
What is Darksword and Why It Is Dangerous
Darksword is a professionally engineered exploit kit that targets iPhones running iOS versions 18.4 through 18.6.2. According to reports, it exhibits clear signs of deliberate design for maintainability and future development, indicating a high level of sophistication. The group behind this threat is tracked under the identifier UNC6353, though definitive attribution remains unclear. Notably, researchers have observed that large language model (LLM) tools, which power AI chatbots, have been utilized to extend Darksword's functionality, enhancing its capabilities.
Lookout noted in its report, "This malware is highly sophisticated and appears to be a professionally designed platform enabling rapid development of modules through access to a high-level programming language." The report further emphasized that the development effort reflects a focus on long-term sustainability and extensibility, making Darksword a persistent threat in the cybersecurity landscape.
How Does the Attack Work and What Data Can Hackers Steal
The attack initiates through Safari, Apple's default web browser on iPhones, without requiring users to download suspicious files or click on links. Simply visiting a compromised website may be sufficient, as threat actors have injected malicious code into legitimate sites. Darksword exploits a chain of vulnerabilities to gain deep read and write access to the iPhone's core operating system, eventually taking full control of the device.
Once activated, data-stealing modules harvest a wide range of personal information, including:
- Saved passwords and browser cookies
- Photos, screenshots, and hidden image files
- Databases from WhatsApp and Telegram
- Cryptocurrency wallets such as Coinbase, Binance, and Ledger
- Text messages (SMS), address book, and call history
- Location history, browser history, and Wi-Fi passwords
- Apple Health data, calendar entries, and notes
- Installed applications and connected accounts
After stealing the data, Darksword wipes temporary files and exits, leaving minimal traces of its activity.
Who Is at Risk and What iPhone Users Must Do
The good news is that Apple has already addressed these vulnerabilities in its latest iOS releases. Users with fully updated iPhones are protected from Darksword. For those with outdated devices, it is crucial to upgrade to the latest version, iOS 26.3.1, which was released earlier this month. Additionally, enabling Lockdown Mode can provide an extra layer of security for individuals at high risk of targeting.
To update iOS, navigate to Settings → General → Software Update. To enable Lockdown Mode, go to Settings → Privacy & Security → Lockdown Mode. Older iPhones that no longer support the latest iOS version may still receive targeted security fixes, so users should regularly check for updates.
This discovery underscores the importance of maintaining up-to-date software and practicing vigilant cybersecurity habits to safeguard personal data against evolving threats like Darksword.
