iOS Exploit Chain Used by Hackers in Infostealer Attacks Since November 2025

All iPhone users should ensure that they are receiving security updates and are on the most recent version of the OS possible, due to a seemingly highly active threat actor making use of a new infostealer called “DarkSword” that incorporates zero-day vulnerabilities. The malware is an iOS exploit chain that is initiated simply by visiting an attack page with Safari.

Devices are fully compromised by the infostealer, but it seems to have a particular focus on penetrating crypto wallets and exchange accounts. The main group using the iOS exploit in the wild appears to be based in Russia, but it is unclear if or to what level they have connections to the government. The group has been very active in deploying it in Ukraine, compromising popular legitimate websites via other means and turning seemingly normal pages into attack points that are essentially zero-click once the victim opens the page in their browser.

Unusual infostealer mixes espionage appeal with crypto theft

DarkSword is a curious case, an infostealer that appears to have been designed for the private criminal market but may now have been taken up by state-backed actors. The malware is designed for stealth, extracting information to a command-and-control server and totally cleaning itself from the target device immediately upon compromise, but spies generally want something that allows for easier access during very long-term windows of persistence. The code is also annotated with detailed notes in English, implying it was created to be sold to assorted buyers that may not be all that technically capable.

The group of note using it right now is UNC6353, a group believed to be Russian in origin and with a heavy focus on targeting Ukraine. However, it is not clear if it has any real ties to Russian intelligence. These could very well just be privateers of a sort, taking advantage of Russian government permissiveness toward targets in Ukraine during the invasion. But the group has a long history of initiating various iOS exploit chains via compromised websites in “watering hole” attacks.

In the past, iOS exploits were closely guarded. The whole situation with UNC6353 indicates that they may now be seen as common enough that they do not have to be hoarded by state-backed actors. This is not good news for the general public, which previously enjoyed some enhanced level of security simply by investing in an Apple phone.

Are iOS exploits becoming more common?

iOS exploits do still seem to be relatively difficult from criminals to come up with; for example, both DarkSword and some of its immediate predecessors only impact specific iOS versions, with this infostealer only targeting a version range released over several months of 2025. However, the fact that underground spyware brokers now seem to be openly dealing in them and that they are being used for relatively petty cyber crime is troubling. That would indicate that the advanced nation-state actors that would usually snap them up do not feel they are worth hoarding any more, possibly due to increased confidence in their ability to routinely compromise the OS.

DarkSword specifically impacts iOS 18.4 to 18.6.2. These were released in 2025, just ahead of Apple moving to the “26” year-based designation that is presently in place. Certain older devices cannot move beyond iOS 18, but Apple says that it has issued emergency patches for these already. Those stuck with iOS 18 should also be able to update to version 18.7 to be sure that they are safe.