Russia-linked hackers use advanced iPhone exploit to target Ukrainians

Steven

Russia-linked hackers use advanced iPhone exploit to target Ukrainians

Summary

A likely Russia-linked group, tracked as UNC6353, has been using a sophisticated iPhone exploit kit called DarkSword to compromise devices belonging to Ukrainian users. According to researchers at Lookout, the malware can infect iPhones with little or no user interaction, extract sensitive data within minutes and then remove itself to erase traces.

Content summary

The DarkSword campaign, active since at least late 2025 and continuing into March 2026, primarily used watering-hole attacks against Ukrainian websites — including a regional news site and a local court site. On visiting an infected page, victims’ devices could be deeply accessed and their emails, messages, photos, credentials and crypto-wallet data exfiltrated rapidly. Researchers describe DarkSword as a modular, professionally engineered platform designed for quick “hit-and-run” data grabs rather than long-term surveillance.

Lookout linked the campaign to UNC6353 and noted previous use of the Coruna exploit chain. Google reported variants used to target users in Saudi Arabia, Turkey and Malaysia. The attackers targeted multiple cryptocurrency services and wallets (Coinbase, Binance, Kraken, MetaMask, Ledger), suggesting both espionage and financial motives. Apple patched the exploited vulnerabilities in late 2025.

Key Points

  • DarkSword is a powerful iPhone exploit kit that can compromise devices with minimal user interaction and quickly exfiltrate data.
  • UNC6353 used watering-hole attacks on Ukrainian websites to reach intended targets; victims included a regional news outlet and a court site.
  • The malware follows a “hit-and-run” model: rapid data collection (minutes), then self-deletion to cover tracks.
  • Targets included cryptocurrency platforms and wallets, indicating financial motives alongside espionage.
  • Researchers suspect access to high-end exploits (commercial or state-level), and evidence points to a secondary market for such tools.
  • Apple issued patches for the vulnerabilities in late 2025; earlier patching mitigates this specific campaign.

Context and relevance

This incident is part of a continuing trend where nation-linked actors or those buying advanced tooling use commercialised exploits and watering-hole tactics to reach politically sensitive populations. For anyone responsible for security in Ukraine or handling sensitive communications, it underlines the need for rapid patching, website hygiene for organisations that serve vulnerable communities, and strong crypto-wallet operational security.

Author’s note (punchy): This isn’t your garden-variety spyware — DarkSword reads like a commercial surveillance product repurposed for quick data theft. If you care about secure comms or manage sites used by at-risk groups, treat this as urgent: patch, audit, warn users.

Why should I read this?

Short answer: because it shows how powerful, easily deployed iPhone exploits are being used against real people in a war zone. The write-up explains who was targeted, how the attacks worked, and why the presence of commercial-grade exploits changes the game. If you look after security, wallets or websites used by Ukrainians (or similar communities), this is directly relevant — we saved you the deep read.

Source

Source: https://therecord.media/russia-linked-hackers-use-iphone-exploit-ukraine