This new DarkSword iOS exploit can steal almost everything from your iPhone – here's what we know

20 hours ago 2

Researchers uncover DarkSword malware framework targeting iPhones
Exploits six high-severity flaws in iOS 18.4–18.7, now patched
Used by spyware vendors and state-backed groups with variants like GhostSaber and GhostKnife

Security researchers uncovered a new malware framework called DarkSword, capable of stealing plenty of sensitive data from iPhone users.

Earlier this week a number of security vendors, including Google, sounded the alarm on DarkSword, saying it leverages at least six vulnerabilities, and is being actively used by multiple commercial spyware makers, as well as state-sponsored hackers, in in-the-wild attacks.

Some of these flaws are zero-days, meaning they were being exploited before Apple, or anyone else in the cybersecurity community, knew about them. They affect iOS versions 18.4 to 18.7 and all were, since then, patched. So, make sure you’ve updated your iPhone to the latest version.

Article continues below

Commercial malware abuse

The vulnerabilities being abused are as follows:

CVE-2025-31277 (8.8/10 - high)
CVE-2025-43529 (8.8/10 - high)
CVE-2026-20700 (7.8/10 - high)
CVE-2025-14174 (8.8/10 - high)
CVE-2025-43510 (7.8/10 - high)
CVE-2025-43520 (7.1/10 - high)

Google, as well as other security outfits including Lookout and iVerify, are saying DarkSword is in active use since at least November 2025, by multiple commercial malware vendors, as well as state-sponsored groups. For example, Google says a Turkish company called PARS Defense was using it to target both Turkish and Malaysian victims.

The company also mentions UNC6353, allegedly a Russian state-sponsored actor, using DarkSword against Ukrainian targets. Finally, there is a group tracked as UNC6748 that has been using a Snapchat-themed website to target people in Saudi Arabia.

The framework itself doesn’t include malware, though. Each group has been using a different variant in their attacks, it was said, with PARS using GhostSaber to enumerate accounts, list files, exfiltrate data, and run JavaScript remotely.

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

UNC6748, on the other hand, is using GhostKnife, a JavaScript-based backdoor capable of stealing data such as signed-in accounts, messages, browser data, location history, and recordings.

Via The Register

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Read Entire Article