Researchers uncover new iOS infostealing exploit kit DarkSword

Security researchers have discovered an iOS 18 exploit that’s been used since last year to infect iPhones with malware through a fake Snapchat website.

Researchers from Google, Lookout, and iVerify have dubbed the exploit DarkSword.

Basically, DarkSword utilizes six different vulnerabilities to deploy malicious payloads on iPhones running iOS versions 18.4 through 18.7. The goal is to extract sensitive information from infected devices, including login credentials, text messages, emails, media files, location history, web browsing history, iCloud Drive files, and other data from victims.

Specifically, the malware targets a plethora of cryptowallet apps, meaning that the hackers are most likely financially motivated. In addition, the malware enabled attackers to gain full access to a user’s device with little to no action needed from the user.

“Notably, DarkSword appears to take a ‘hit-and-run’ approach by collecting and exfiltrating the targeted data from the device within seconds or at most minutes, followed by cleanup,” security researchers from Lookout say.

In early November 2025, researchers from Google’s Threat Intelligence Group identified a threat actor called UNC6748.

The group targeted Saudi Arabian users by leveraging a fake Snapchat-themed website to take over control of users’ vulnerable iPhones. During the infection process, victims were redirected to a legitimate Snapchat website in an attempt to mask the attacker’s activity.

DarkSword was most likely first deployed by a Russian threat actor, which Google dubbed UNC6353. According to the security researchers, DarkSword was also used to infect iPhone users in Ukraine, Malaysia, and Turkey.

Researchers were able to identify three distinct malware families following a successful DarkSword compromise: GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER. These are all dataminers that collect and exfiltrate sensitive information from compromised iPhones.

Google, Lookout, and iVerify strongly recommend users to update their devices to iOS 18.7.6 or iOS 26.3.1. “This will mitigate all vulnerabilities that have been exploited in these attack chains,” the researchers say.

If updating the operating system isn’t an option, then users should enable Lockdown Mode. When an iPhone is in Lockdown Mode, apps, websites, and features will be limited for security reasons, and some features are completely unavailable.

“Ultimately, this feature strips the device OS of a lot of functionality and features that attackers can exploit, so it’s basically about reducing the device’s attack surface. This is not adding advanced new features for detecting or preventing malware and zero-day attacks,” Brian Contos, Chief Security Officer at Phosphorus Cybersecurity, explained to Cybernews.