Second iOS Exploit Kit Now in Use by Suspected Russian Hackers

The emergence of DarkSword marks the second large‑scale iOS exploit kit uncovered in weeks, underscoring a rapid migration of sophisticated threat campaigns from traditional desktops to smartphones. Researchers estimate that as many as 270 million iPhone users—roughly 15 % of the global iOS base still running version 18 or earlier—could be exposed. By compromising Apple’s WebKit engine and leveraging WebGPU as a pivot, the kit can bypass the mobile sandbox, giving attackers a foothold on devices that now carry the bulk of internet traffic.

DarkSword’s codebase reveals a striking blend of advanced vulnerability chaining and low‑effort development practices. The server‑side component bears hallmarks of large‑language‑model generated scripts, complete with explanatory comments, suggesting that AI tools are lowering the entry barrier for state‑backed actors. Once inside, the exploit can exfiltrate saved passwords, cryptocurrency wallet keys, text messages and other sensitive data. This dual capability—financial theft and surveillance—mirrors earlier Russian operations such as the Coruna kit, but adds a “Swiss‑army‑knife” versatility that could appeal to commercial spyware vendors.

For enterprises and high‑net‑worth individuals, the fallout is immediate. Stolen crypto assets and compromised credentials can fund ongoing Russian operations or be sold on underground markets, while persistent access enables long‑term intelligence gathering on targets in Ukraine, Saudi Arabia, Turkey and beyond. Apple has already issued patches in iOS 26.3, and the coordinated disclosure with Google and security firms demonstrates a growing industry response. Nonetheless, the presence of a secondary exploit market means organizations must accelerate patch management, adopt zero‑trust mobile strategies, and monitor for anomalous WebKit activity.