DarkSword iOS Exploit Kit Used by State-Sponsored Hackers and Spyware Vendors

A sophisticated iOS exploit kit named DarkSword has been deployed by state-sponsored hackers and commercial spyware vendors to achieve full device compromise with minimal user interaction. The exploit kit targets six iOS vulnerabilities, creating a complete attack chain. The Russian state-sponsored espionage group UNC6353 utilized DarkSword in attacks against Ukraine, sharing infrastructure with another exploit kit called Coruna. Commercial surveillance vendors, such as UNC6748, have also deployed DarkSword in attacks against targets in Saudi Arabia, Turkey, and Malaysia. The exploit chain begins with Safari bugs for remote code execution, followed by a sandbox escape, and then kernel flaws for privilege escalation and payload execution. The final payload is an orchestrator of modules designed to exfiltrate sensitive information, including passwords, messages, contacts, browser data, and cryptocurrency wallet information. While Apple has released patches for the targeted vulnerabilities, hundreds of millions of devices may still be exposed. iOS users should immediately update to the latest version, and organizations should implement mobile device management (MDM) solutions to enforce updates and monitor for compromise indicators.