Overview
- Lookout, iVerify and Google published coordinated reports detailing Darksword, found on dozens of compromised Ukrainian websites in recent weeks.
- Darksword targets iPhones on 2025-era releases around iOS 18.4–18.6.2, with researchers estimating 220 million to 270 million devices may remain exposed despite available Apple fixes.
- The kit chains a WebKit compromise to a WebGPU-based sandbox escape to steal saved passwords, messages and cryptocurrency wallet data.
- Investigators link the operation to infrastructure used by the earlier Coruna campaign and associate the activity with Google-tracked UNC6353, described as Russian-backed.
- The teams cite poor operational security and signs of LLM-generated code, reinforcing concerns about a growing secondary market for advanced iOS exploits.