A sophisticated hacking campaign linked to the Russian government has been identified targeting iPhone users in Ukraine. Cybersecurity researchers have uncovered a powerful new exploit kit, dubbed Darksword, designed to infiltrate devices, exfiltrate sensitive personal data, and potentially siphon cryptocurrency.
The Discovery of Darksword
The campaign, orchestrated by a threat actor identified as UNC6353, was analyzed by experts from Google, iVerify, and Lookout. The attackers utilized compromised websites to deploy the toolkit, which experts say bears a connection to previous state-sponsored espionage operations.
Unlike traditional, long-term surveillance spyware, Darksword is built for “smash-and-grab” operations. Its primary objective is to infect a device, rapidly harvest data—including passwords, photos, browser history, and messages from apps like WhatsApp and Telegram—and then vanish. Lookout researchers estimate the malware’s dwell time on a device is often limited to mere minutes.
A Pattern of State-Sponsored Espionage
This discovery follows the recent exposure of another iPhone-hacking toolkit, Coruna. Originally developed by the U.S. defense contractor L3Harris, Coruna was intended for Western intelligence agencies before eventually falling into the hands of Russian spies and Chinese cybercriminals. The emergence of Darksword suggests that advanced, modular, and highly stealthy iOS exploits are becoming more accessible to state-aligned groups.
Financial Motives and Intelligence Gathering
One of the most unusual features of Darksword is its capability to target cryptocurrency wallets. While this points toward potential financial motivation, security experts remain divided on the primary intent. “This may indicate that this threat actor is financially motivated, or alternatively, that Russian state-aligned activity has expanded into financial theft,” Lookout noted in its technical report.
Rocky Cole, co-founder of iVerify, suggests the hackers may be operating as a Russian criminal proxy. By combining espionage with financial theft, the group serves the dual goals of gathering intelligence and generating illicit revenue. The campaign was not highly targeted at specific individuals; instead, it functioned as a “drive-by” attack, infecting any user who visited specific Ukrainian websites from within the country.
Advanced Modular Architecture
The malware’s professional, modular design allows for the rapid integration of new features, indicating that it was developed by highly skilled operators. Experts believe the same entity responsible for the distribution of the Coruna toolkit may also be behind the Darksword campaign. Current intelligence indicates that UNC6353 is a well-funded group operating in alignment with Russian intelligence requirements, posing a persistent threat to mobile security in the region.