Researchers at Google Threat Intelligence Group (GTIG), Lookout, and iVerify have jointly disclosed a previously unknown iOS exploit kit called DarkSword, active since at least November 2025.

DarkSword exploits six iOS vulnerabilities — three of which were zero-days at the time of deployment — to fully compromise iPhones running iOS 18.4 through 18.7. After successful exploitation, it deploys three distinct malware families: GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER, each designed for different data exfiltration goals.

GHOSTBLADE is the most aggressive payload. Written in JavaScript, it directly targets cryptocurrency wallet apps alongside iMessage, Telegram, WhatsApp, browser history, photos, and location data. Lookout describes DarkSword's approach as "hit-and-run": all targeted data is collected and exfiltrated within seconds to minutes, then traces are cleaned up.

Multiple threat actors have used DarkSword in separate campaigns. GTIG linked one campaign to UNC6353, a suspected Russian espionage group previously tied to the Coruna iOS exploit kit — also disclosed in March. Targets have included users in Ukraine, Saudi Arabia, Turkey, and Malaysia.

DarkSword marks the second iOS full-chain exploit kit disclosed within a single month. Both DarkSword and Coruna appear to originate from commercial surveillance vendors, but are increasingly reaching financially motivated actors who are using them to steal crypto credentials.

What This Means for Crypto Users

DarkSword explicitly targets a broad list of crypto wallet apps. Apple has patched all six CVEs in recent iOS releases. Any iPhone running iOS 18.4 through 18.7 that has not been updated should be treated as a potential target. Google recommends updating to the latest iOS immediately; if an update is not possible, enabling Lockdown Mode provides additional protection.