Russia-linked hackers use advanced iPhone exploit to target Ukrainians

A likely Russia-linked threat actor deployed a sophisticated iPhone hacking tool to target Ukrainian users and steal sensitive data, according to research published on Wednesday.

The malware, dubbed DarkSword, allows attackers to break into iPhones with little to no user interaction, extract sensitive data within minutes, and then erase traces of the intrusion, researchers at cybersecurity firm Lookout said.

They attributed the activity to a threat actor tracked as UNC6353. Little is known about the group’s infrastructure or broader affiliations, but it has previously targeted victims in Ukraine using the Coruna exploit chain.

The DarkSword campaign has been active since at least late 2025 and continued through March, primarily targeting visitors to compromised Ukrainian websites in so-called “watering hole” attacks, where hackers infect sites frequented by their intended victims.

Among the affected sites were a regional news outlet covering the war and a local court’s website. Researchers also identified a possible infection at a Ukrainian food processing company in February.

Once a victim visits an infected page, the attack is triggered automatically, allowing hackers to gain deep access to the device and retrieve emails, messages, photos, credentials and data from cryptocurrency wallets.

Unlike traditional spyware campaigns designed for long-term surveillance, DarkSword appears to operate on a “hit-and-run” model, according to Lookout. It rapidly collects and exfiltrates data, often within minutes, before deleting itself from the device.

“This malware is highly sophisticated and appears to be a professionally designed platform,” researchers said, noting that it was built to support modular development and long-term use.

The latest UNC6353 campaign combines espionage with financial motives, targeting a wide range of cryptocurrency platforms, including Coinbase, Binance and Kraken, as well as popular wallets such as MetaMask and Ledger.

Given the malware’s capabilities, researchers said the hackers may have access to high-end exploit tools typically associated with government clients or commercial surveillance vendors.

“The discoveries of DarkSword and previously Coruna suggest a secondary market for advanced exploits,” Lookout said, allowing actors with fewer resources to acquire and deploy sophisticated capabilities.

Despite the advanced tooling, the attackers themselves may not be highly sophisticated. Analysts noted limited efforts to conceal parts of the operation and suggested the group may rely on purchased exploits and even artificial intelligence to develop additional malware components.

According to a report by Google on Wednesday, DarkSword was deployed by various threat actors to target users in Saudi Arabia, Turkey and Malaysia.

Apple patched the vulnerabilities exploited in these attacks in late 2025 after they were disclosed, researchers said.