DarkSword is the name given by a group of cybersecurity researchers to a new malware designed to target iPhoneswith the main goal of stealing personal information and, potentially, even cryptocurrencies. The analyzes conducted by the experts of Google Threat Intelligence Group and security companies, such as Lookout And iVerifyindicate that these attacks were observed in Ukraine and would be attributable to a group identified as UNC6353suspected of operating in line with Russian government interests. Unlike other malicious campaigns, DarkSword stands out with its operational speed: infects the device, collects data and self-deletes in a very short time. This element suggests an approach aimed at rapid acquisition of information rather than continuous surveillance of affected individuals.
The discovery of this toolkit, along with recently discovered tools (such as Coruna), helps to redefine the perception of iPhone security, or rather, highlights how even highly protected systems can be vulnerable to targeted and sophisticated attacks. In this article we take a closer look how DarkSword works, what data it can compromise and, above all, what strategies we can adopt to reduce the risk of attack.
How DarkSword malware infects iPhones and steals data
Investigations indicate that DarkSword was distributed through Hacked Ukrainian websites. This type of attack is known as “watering hole”a technique in which cybercriminals target digital locations frequented by victims instead of directly attacking specific individuals. In this case, those visiting certain sites from within Ukraine could become infected without any obvious interactions.
Once active, DarkSword collects a wide range of information and data: passwords, multimedia content, browsing history and messages from popular applications, such as WhatsApp, Telegram and even simple SMS. A peculiarity of this malware is its short stay on affected devices due to speed of execution with which he is equipped. According to Lookout researchers «Darksword’s time spent on your device is likely in the order of minutes, depending on how much data it discovers and exfiltrates».
This characteristic suggests an operational model “hit-and-run”that is, a rapid and non-persistent attack. Unlike traditional spyware, which remains hidden for long periods and constantly monitors the user, DarkSword appears to be designed for targeted, temporary operations. According to some interpretations, this approach could be sufficient to reconstruct victims’ habits and behaviors, without the need for continuous monitoring.
A peculiar element is the malware’s ability to also access crypto-wallets. This aspect is less typical for groups associated with malicious activities conceived by governments (in this case the Russian one), where the main objective is usually espionage. Experts, however, point out that there is no concrete evidence that the attacks were actually used to steal cryptocurrencies: it is rather a potential functionality.
From a technical point of view, DarkSword was developed with amodular architecture. What does it mean? To put it simply, this means that malicious software is made up of several independent components, which can be easily updated or replaced. Such a structure makes malware more flexible and adaptable, allowing developers to introduce new features without rewriting the entire software code.
The discovery of DarkSword comes just days after the discovery of another toolkit for iPhonecalled Corunainitially developed for government use and later reused by several malicious actors. The presence of similar tools suggests that there is an ecosystem of development and trade of advanced hacking technologies, in which the same solutions can be reused by different parties.
How to protect yourself from malware that threatens iOS
Lookout security experts, regarding the danger of the malware featured in the article, observe:
DarkSword’s use of exploits targeting newer versions of iOS, with some of the respective vulnerabilities patched in 2026, further narrows the gap with current iOS versions and could potentially affect hundreds of millions of devices. This further highlights the importance of updating mobile devices more quickly and replacing older iOS device models in organizations’ mobile fleets.
One of the most important security measures to undertake to reduce, as much as possible, the chances of encountering cyber attacks of this type is update iOS to the latest available version. Another fundamental move consists inavoid untrustworthy or unknown sitesespecially if they come from links received from strangers via messages or emails. As explained, in fact, the attack is propagated via infected websites.
