GoKawiilA new exploit kit for iOS devices and delivery framework dubbed “DarkSword” has been used to steal a wide range of personal information, including data from cryptocurrency wallet apps.
DarkSword targets iPhones running iOS 18.4 through 18.7 and is linked to multiple actors, including UNC6353, suspected to be Russian, who used the Coruna exploit chain disclosed earlier this month.
Researchers at mobile security company Lookout discovered DarkSword while investigating the infrastructure used for the Coruna attacks. Google’s Threat Intelligence Group and iVerify also collaborated for a more comprehensive analysis of this previously unknown threat and the adversaries leveraging it.
iVerify's findings indicate that all flaws (sandbox escape, privilege escalation, remote code execution) exploited in this exploit chain are known or documented, and Apple has already addressed them in the latest iOS releases.
The DarkSword exploit kit uses six vulnerabilities tracked as CVE-2025-31277, CVE-2025-43529, CVE-2026-20700, CVE-2025-14174, CVE-2025-43510, and CVE-2025-43520.
Loading the right exploit script based on the detected iOS version
Source: Lookout
DarkSword attacks
In a report today, Google Threat Intelligence Group (GTIG) says that DarkSword has been used since at least November 2025 by several threat actors, who deployed three separate malware families:
GHOSTBLADE, a dataminer in JavaScript that steals a swath of information, including crypto wallet data, system and connectivity info, browser history, photos, location and mobility, communication data from iMessage, Telegram, WhatsApp, email, calls, and contacts
... continue reading