A dangerous new iOS exploit discovered by Lookout Threat Labs is actively being used by both Russian threat actors, who are successfully deploying infostealer malware that can fully access the contents of a target device.
Based on heavy targeting of crypto wallets, the researchers believe the threat actors are financially motivated. However, that does not rule out the possibility of state-sponsored groups; some privately contracted Chinese APT groups have been observed engaging in financial crimes as a sideline, as well as at least one similar criminal group in Russia believed to have ties to government intelligence services.
New iOS exploit found to compromise versions 18.4 to 18.6.2
“DarkSword” packs both a complete iOS exploit chain and infostealer into one package. The chain initiates when Safari opens a malicious webpage with a hidden iframe that springs the malware from the WebContent sandbox. It then works its way into deploying a number of custom payloads designed to tap into various vital and privileged iOS services, capturing stored data and keystrokes before completely covering its tracks with an exfiltration payload.
The researchers have observed the infostealer successfully compromising iOS versions between iOS 18.4 and 18.6.2. iOS 18 was the last version before Apple switched to the current year-based numbering scheme, with these particular versions being current from March 31 to early September of 2025. Both iOS 18.7 and the iOS 26 versions seem to have patched out something in the kill chain that disables it.
The report indicates that both Chinese and Russian threat actors have been tied to the iOS exploit due to the infrastructure that the infostealer uses, but they have particularly detailed information on a Russian group that Google threat researchers have previously identified as “UNC6353.” This group has been tied to attacks on targets in Ukraine dating back to 2025, and has previously used the same approach of using malicious web pages to initiate iOS exploit chains. The group very likely engages in espionage and thus has state ties, but has also shown signs of cybercrime and for-profit hacking and may have purchased the zero-days it uses in iOS exploit chains from some sort of underground vendor that is also providing them to the Chinese groups and others.
Once it is running on a device the infostealer seeks out login information for cryptocurrency wallets, emails, photos, and an assortment of other authentication information and files, which are passed along to a command-and-control server before all evidence of the malware’s presence is wiped. The researchers say that the infostealer is highly sophisticated, built with long term development and extensibility in mind; there is evidence in the code of prior versions using an altered iOS exploit chain to target versions 17.4.1 and 17.5.1. The presence of certain clues in the code also points to an LLM being used to assist with development.
Steve Cobb, Chief Information Security Officer at SecurityScorecard, believes this is likely the beginning of a trend in targeting of mobile devices: “This exploit is a strong signal that mobile threats are no longer operating on the fringes. What stands out with DarkSword is how it is being embedded into a broader infostealer operation designed for quiet, sustained access. Attackers are clearly prioritizing stealth over noise, finding ways to operate within trusted mobile ecosystems while avoiding the kinds of behaviors that typically trigger detection. It’s a reminder that mobile devices are becoming a primary entry point for sensitive data exfiltration, especially as more business-critical workflows consolidate onto a single device that is rarely monitored with the same rigor as a traditional endpoint.”
“What makes this particularly challenging is how quickly a mobile compromise can translate into broader enterprise access. Once attackers gain access to credentials or corporate data on a device, they are no longer limited to that phone. They can move into SaaS platforms, cloud environments, and partner systems without needing to exploit additional vulnerabilities. This creates a situation where the initial compromise is small and difficult to detect, but the impact expands rapidly across interconnected systems,” added Cobb. “For security leaders, this reinforces the need to rethink how mobile risk is incorporated into overall cyber defense strategies. As organizations continue to expand their digital ecosystems, mobile will increasingly serve as both a productivity hub and a potential attack vector. Without continuous visibility across those connections, these types of threats will continue to exploit the blind spots between endpoint, identity, and supply chain security.”
Profit motive likely the infostealer’s central focus
While most of this information is commonly taken up by state-backed espionage groups that deploy infostealer malware, the specific focus on crypto wallets indicates at least an original design with cyber crime in mind. DarkSword is kitted out to automatically target credentials for dozens of popular crypto exchanges and wallet brands, something that spies will usually avoid to reduce noise and improve long-term detection evasion. The group has made little effort to obfuscate the functions of the code itself, and the researchers believe they may have lacked experience to add elements on their own and relied on LLM assistance.
UNC6353 has focused on initiating their iOS exploit chains, including DarkSword, by compromising websites in Ukraine and targeting users in that nation. The researchers are not clear on how these initial compromises are taking place, however. But once a website is compromised, the “watering hole” attack that ensnares the target is essentially a zero-click iOS exploit once the victim loads the tainted page in Safari.
Another unusual characteristic of this campaign is the fact that apparently highly valuable iOS exploits are being used with a focus on crypto theft. Apple exploits of this severity are relatively few and far between, and are usually either discovered by or hoarded by national governments or the spyware firms that supply them for long-term espionage purposes. It is somewhat unusual to see highly valuable iOS exploit chains being used to blast away noisily at broad-scale crypto theft by what may well be private actors.
The relative sloppiness of the threat actor also means that other hackers can pick up the DarkSword infostealer from the tainted sites and use it for themselves. However, Apple has said that it has issued emergency patches for older devices that are stuck on iOS 18 and cannot upgrade to iOS 26. The prior Coruna malware used by these same threat actors impacts iOS versions 13 to 17, but Apple has similarly issued emergency patches for those.
While Apple has addressed these issues ahead of the paper’s publication, Brian Bell (CEO of FusionAuth), notes that the key to preventing future compromises of this nature is internal authentication: “When a device can be silently compromised when visiting a website, perimeter-based and device-based security collapse. That’s not a future risk, it’s the current reality for anyone with a mobile user base. The right response isn’t to wait for your users to patch. It’s to build authentication that assumes the device is already compromised. Short-lived tokens, step-up authentication before sensitive actions, forced re-authentication when signals change. Design for the breach, not against it. And here’s the piece that most teams miss: most authentication platforms are SaaS; your token policies, session controls, and audit logs live in someone else’s cloud, under someone else’s access controls. But when authentication runs inside your own infrastructure, isolated from external dependencies, a compromised device doesn’t cascade into a compromised system. Identity is your last defense, so make sure you own it.”
