DarkSword is the name given by a group of cybersecurity researchers to a new malware designed to target iPhones, with the main objective of stealing personal information and, potentially, even cryptocurrencies. Analysis conducted by experts from the Google Threat Intelligence Group and security firms, such as Lookout and iVerify, indicates that these attacks were observed in Ukraine and could be traced back to a group identified as UNC6353, suspected of operating in line with Russian government interests. Unlike other malicious campaigns, DarkSword stands out for its operational speed: it infects the device, collects data and self-deletes in a very short time. This element suggests an approach aimed at rapid acquisition of information rather than continuous surveillance of affected individuals.
The discovery of this toolkit, together with recently discovered tools (such as Coruna), helps to redefine the perception of iPhone security, or rather, highlights how even highly protected systems can be vulnerable to targeted and sophisticated attacks. In this article we take a closer look at how DarkSword works, what data it can compromise and, above all, what strategies we can adopt to reduce the risk of attack.
How DarkSword malware infects iPhones and steals data
Investigations indicate that DarkSword was distributed through hacked Ukrainian websites. This type of attack is known as a “watering hole,” a technique in which cybercriminals target digital locations frequented by victims rather than directly attacking specific individuals. In this case, those visiting certain sites from within Ukraine could become infected without any obvious interactions.
Once active, DarkSword collects a wide range of information and data: passwords, multimedia content, browsing history and messages from popular applications, such as WhatsApp, Telegram and even simple SMS. A peculiarity of this malware is its short stay on affected devices due to its speed of execution. According to Lookout researchers «Darksword’s time spent on your device is likely in the order of minutes, depending on how much data it discovers and exfiltrates».
This characteristic suggests a “hit-and-run” operational model, i.e. a rapid and non-persistent attack. Unlike traditional spyware, which remains hidden for long periods and constantly monitors the user, DarkSword appears to be designed for targeted, temporary operations. According to some interpretations, this approach could be sufficient to reconstruct victims’ habits and behaviors, without the need for continuous monitoring.
A peculiar element is the ability of the malware to also access crypto-wallets. This aspect is less typical for groups associated with malicious activities designed by governments (in this case the Russian one), where the main objective is usually espionage. Experts, however, point out that there is no concrete evidence that the attacks were actually used to steal cryptocurrencies: it is rather a potential functionality.
From a technical point of view, DarkSword was developed with a modular architecture. What does it mean? To put it simply, this means that malicious software is made up of several independent components, which can be easily updated or replaced. Such a structure makes malware more flexible and adaptable, allowing developers to introduce new features without rewriting the entire software code.
The discovery of DarkSword comes just days after the discovery of another iPhone toolkit, called Coruna, which was initially developed for government use and later reused by several malicious actors. The presence of similar tools suggests that there is an ecosystem of development and trade of advanced hacking technologies, in which the same solutions can be reused by different parties.
How to protect yourself from malware that threatens iOS
Lookout security experts, regarding the danger of the malware featured in the article, observe:
DarkSword’s use of exploits targeting newer versions of iOS, with some of the respective vulnerabilities patched in 2026, further narrows the gap with current iOS versions and could potentially affect hundreds of millions of devices. This further highlights the importance of updating mobile devices more quickly and replacing older iOS device models in organizations’ mobile fleets.
One of the most important security measures to take to reduce, as much as possible, the chances of encountering cyber attacks of this type is to update iOS to the latest version available. Another fundamental move is to avoid unreliable or unknown sites, especially if they come from links received from strangers via messages or emails. As explained, in fact, the attack is propagated via infected websites.
