GoKawiilA new exploit kit for iOS devices and delivery framework dubbed “DarkSword” has been used to steal a wide range of personal information, including data from cryptocurrency wallet app.
DarkSword targets iPhones running iOS 18.4 through 18.7 and is linked to multiple actors, including the one that used the Coruna exploit chain disclosed earlier this month.
Researchers at Lookout Threat Labs discovered DarkSword while investigating the infrastructure used for the Coruna attacks. Google’s Threat Intelligence Group and iVerify also collaborated for a more comprehensive analysis of this previously unknown threat and the adversaries leveraging it.
iVerify's findings indicate that all flaws exploited in this exploit chain are known or documented and Apple has already addressed them in the latest iOS releases.
The DarkSword exploit kit uses six vulnerabilities tracked as CVE-2025-31277, CVE-2025-43529, CVE-2026-20700, CVE-2025-14174, CVE-2025-43510, and CVE-2025-43520.
Loading the right exploit script based on the detected iOS version
Source: Lookout
Although attribution is unclear, the threat actor behind DarkSword is tracked as UNC6353, who appears to be well-funded and has access to multiple unknown and known exploits.
The researchers found signs of large language model (LLM) tools used for extending DarkSword’s functionality, though they note that the malware itself is rather advanced, and not an AI-generated disposable tool.
“This malware is highly sophisticated and appears to be a professionally designed platform enabling rapid development of modules through access to a high level programming language,” comments Lookout in the report.
... continue reading