CyberWire Daily - Double-edged threat. [Research Saturday]
Episode Date: May 2, 2026Today we are joined by Justin Albrecht, Principal Researcher at Lookout, discussing "Attackers Wielding DarkSword Threaten iOS Users." DarkSword is a highly sophisticated iOS exploit chain discovered ...by Lookout that targets iPhones (iOS 18.4–18.6.2), enabling near zero-click compromise and rapid theft of sensitive data, including credentials and cryptocurrency wallet information. Likely deployed by a Russia-linked threat actor (UNC6353) against Ukrainian users, it uses watering hole attacks on compromised websites and operates in a “hit-and-run” fashion—exfiltrating data within minutes before wiping traces. The campaign highlights a growing secondary market for advanced exploits, allowing financially motivated groups to access powerful tools once reserved for state actors, significantly expanding the mobile threat landscape. The research and executive brief can be found here: Attackers Wielding DarkSword Threaten iOS Users Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
Today's sponsor, Rapid 7, has an irresistible invitation for you SISOs and security practitioners out there.
A free two-day virtual summit, the subject, preemptive security.
Join the Global Cybersecurity Summit on May 12th and 13th from wherever you like.
A-list speakers will show you how organizations are disrupting attacks before they can blow towards
your day. You'll see how exposure management, MDR, and AI together let you make the decisive move.
Registration is open at rapid7.brighttalk.com. Hello everyone and welcome to the CyberWires Research
Saturday. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts
tracking down the threats and vulnerabilities, solving some of the hard problems and protecting
ourselves in a rapidly evolving cyberspace. Thanks for joining us. So basically, Google released
the report on something called Karuna. And Karuna is an iOS exploit chain. Actually, it's multiple
iOS exploit chains consisting of 23 different vulnerabilities that were used in watering hole
attacks to target various entities. That's Justin Albrecht, principal
researcher at Lookout. The research we're discussing today is titled,
attackers wielding Darksword threaten iOS users. And some of those attacks were conducted by
a Russian threat actor. This Russian threat actor is called UNC 6353. So when Google
investigated this, they ended up putting out their blog, I think it was about a month
ago now, on their findings. And of course, you know, this is targeting iOS.
It's targeting mobile, so we're definitely interested in that.
And I wanted to go and look at it to see if I could figure out who UNC-6353 is.
And to see if we could find any of the exploits, find anything else interesting about it,
it was really some standard threat hunting.
But as I dug into it, essentially, using a couple techniques,
I found another exploit delivery server, very similar to the one
the UNC 6353 used that was referenced in Google's blog.
And when I was investigating that,
I noticed that they had links between this exploit server
and a couple compromised Ukrainian websites.
These are legitimate websites.
In fact, Corona, I think, was linked to about 50 websites
that I could find that had been compromised.
And essentially what they do is they put an eye frame.
they compromised the website, put an eye frame in the website,
so that when an iOS user visits the website,
and they have the appropriate OS version,
it automatically hacks their phone.
It basically functions like a zero-click attack.
So when I was looking into this,
I thought that I had found another delivery server for Karuna,
but when I started to look at the code that was on these compromised websites,
I noticed that the delivery, in this case it was JavaScript,
had specific mentions in the code that it was targeting 18.4 and 18.6 versions of iOS.
And these versions weren't targeted in Karuna.
So from there, basically I knew that I had something new, novel,
so I started dig into it, and that's how we found Dark Sword.
Well, I mean, let's dig into some of the details here.
Once DarkSword lands on a device, what level of access does it have?
Essentially, all access.
It becomes, it gains root level access to the iOS device, similar to a jailbreak, really,
where it breaks past the sandbox for all applications.
And from there, it's able to pull all relevant data off of the device.
for both espionage and also for financial gains.
So basically, you know, it can pull your contacts.
It pulls your browser history, your photos, your messages.
It pulls the secure databases for some encrypted chats like Telegram, for example, WhatsApp.
It pulls cryptocurrency applications, the profiles associated with those seed phrases.
And it does all of this within a couple minutes.
basically the version of DarkSirt that we were looking at
infects the device with no clicks
it does everything it needs to do on the device
to break through all the barriers
and then it extracts all the data
probably within five minutes maximum
and then it deletes itself from the device
Wow
kind of a worst case scenario here
isn't it? Yeah yeah
scary stuff
yeah well help me understand
the zero click aspect of this
I mean, what's going on in iOS that this sort of thing is possible?
So, you know, zero-click attacks aren't anything new.
DarkSword is technically a one-click attack because it does require some kind of interaction with a domain, right?
Because typically this is all delivered in JavaScript, which is really unusual for this type of malware.
And they basically put the JavaScript on these websites, right?
But you could also send it in a phishing link or something similar.
So it's technically a one-click.
However, if it's on a website that you're already going to visit,
then do you consider that a one-click or a zero-click?
I think in that case it's kind of a zero-click
because you're already going there doing your normal day-to-day routine.
Now, what's happening on the device here is most of these exploit chains,
they first target the browser.
So you might have heard like a predator, Pegasus,
the zero-click attacks that occurred with those.
A lot of those were delivered through like iMessage or WhatsApp,
and they were using some kind of obscure bug that was in one of those platforms
in order to get access to the device in a zero-click attack.
In this case, this is similar to a lot of other attacks that we see,
where first they attack the browser.
So basically, they have to get past what's called WebKit,
which is kind of like iOS's version of serving up browser material.
Basically, all browsers on iOS have to use WebKit.
Now, WebKit's been very hardened by Apple in the past few years
because it's been so targeted.
So in this case, the exploit first targets WebKit,
but then it almost immediately shifts to something called WebGPU,
which is a processor essentially,
that's processing all the data that's on the browser's looking at.
And that hasn't been hardened as much.
So that's where they do the sandbox escape.
And that's basically how they bypass the restrictions that are around the application,
or in this case, the exploit.
Now, you mentioned that they operate quickly and they don't stay on the device very long.
This kind of grab-and-go approach seems significant.
me and perhaps a little unusual?
It's unusual.
It's not what we usually see for espionage, I'll say,
or for top-tier iOS malware.
There is some iOS malware that doesn't leave an implant in any kind of storage.
Like it might run entirely in memory.
Like we've seen that before with different iOS malware,
but typically it does stay on device.
It might not survive a reboot, but it does stay on device.
but it does stay on device.
In this case,
to see the smash grab approach
is very unusual
for Iowa malware.
In fact, I think it's the first time
that I've seen it.
There are, now,
I will say there were
recorded three different campaigns
using Dark Sword.
The one that we identified
was this one
by the Russian threat actors,
but there were two other ones,
and in those two other attacks,
they did leave behind implants.
So in those cases,
they were looking at doing kind of prolonged espionage against targets.
Now, in the case where they don't leave anything behind,
is there any trace to be found if someone suspects that their device may have been compromised?
Is there any way to determine that?
Yeah, there are some traces that are left behind.
They do do a good job of cleaning up a lot of the artifacts that would typically be left behind.
And the way that the malware is designed,
it kind of piggybacks off of legitimate processes that are within iOS,
which makes it very difficult to track and to find.
Now, as a user, without any third-party tools,
this would be completely invisible to you.
And there'd really be no good way to find it.
Now, there are really like mobile EDR tools that will detect some of this.
and then now Apple has released patches
that will patch pretty much all susceptible devices
to DarkSword.
It will patch those specific vulnerabilities
that DarkSword was taking advantage of,
but those victims basically have to update their devices
to the latest OS version
or to the security update for the version they're running,
like iOS 18, for example,
they'd have to update to iOS 1877.
Well, and after your disclosure,
of closure, Apple responded fairly quickly, right?
Yeah.
Yeah, they did.
And, you know, it's an interesting move.
I think it's a very solid move on their part.
I also want to point out, like, how unusual these attacks were because they came back to back, right?
Like Dark Sword and Karuna happened within the span of a month, at least they're reporting on them.
And after that, we saw some kind of unprecedented activity from Apple.
they backported multiple security patches
to cover Karuna and Darksword for older OSs
and typically they'd want those users to update to the latest OS if they could
they warned the users who had susceptible versions of the OS
like they sent alerts to their device that they could be compromised
and that they should update
and they also put out specific guidance on web-based attacks
and then when they put out these notification
that they were back porting the updates,
they also mentioned Dark Sword.
And typically Apple doesn't talk about malware at all, right?
It's a bit of a dirty word there.
So these were really unprecedented moves,
and I think it speaks to kind of the scale of the threat this time,
you know, that we had these two different exploit kits,
very advanced that ended up in the wrong hands.
In one case, well, in both cases,
ended up completely public, really.
where, and especially with DarkSart, it's so easy to reuse.
It has all of the instructions within the code itself.
I think it was a situation that they really had to do something about and they did.
And you're satisfied that the solutions that they've put out there are up to the task?
For the current threat, yes.
I think that's the real, I guess, linchpin in this whole thing is,
We focus on the specific exploits, the specific vulnerabilities, the specific malware.
But for me, there's a very much a larger story behind all of this,
which is how did these exploits that are developed by top-tier exploit development shops?
In one case in the U.S. for Karuna was most likely developed by L3 Harris.
For DarkSard, it's unknown who developed them, but they do look like they're probably Western-developed exploits.
So these exploits made a journey, essentially, across the world to a shady exploit broker who sold them on to criminals and to spy groups who are opposed to the U.S. where the exploits probably came from.
And that really speaks to evidence of a secondhand exploit market for mobile devices at a minimum and probably for more exploits as well.
if you've ever heard of Operation Zero, for example, the Russian exploit broker, you know, that's likely how UNC 6353 got the Karuna exploits based on a lot of public reporting that's gone into it.
And I want to be surprised if that's also how they got the Dark Sword exploits.
So this market's thriving.
And what's the lesson behind that?
The lesson is that, you know, there's proliferation of this tooling that's developed in the West.
It's a very high-end top-tier exploits that cost millions of dollars to develop
and are being sold probably for the second time, maybe even the third time,
to different brokers.
So it's kind of an unregulated market, and these things are getting up in their wrong hands.
And for me, that's the bigger story because just because they patch today,
you can't patch a user, you can't patch a zero day before it's discovered, and it's likely that
there are more out there.
We'll be right back.
When it comes to mobile application security, good enough is a risk.
A recent survey shows that 72% of organizations reported at least one mobile application security
incident last year, and 92% of responders reported threat levels have increased in the past two years.
Guard Square delivers the highest level of security for your mobile apps without compromising performance, time to market, or user experience.
Discover how Guard Square provides industry-leading security for your Android and iOS apps at www.gardsquare.com.
Most environments trust far more than they should, and attackers know it.
Threat Locker solves that by enforcing default deny at the point of execution, with threat.
Locker Allow listing, you stop unknown executables cold.
With ring fencing, you control how trusted applications behave, and with Threat Locker
DAC, Defense Against Configurations, you get real assurance that your environment is free
of misconfigurations and clear visibility into whether you meet compliance standards.
Threat Locker is the simplest way to enforce zero-trust principles without the operational pain.
It's powerful protection that gives CISO's real visibility, real control, and
real peace of mind. Threat Locker make zero trust attainable, even for small security teams.
See why thousands of organizations choose Threat Locker to minimize alert fatigue,
stop ransomware at the source, and regain control over their environments.
Schedule your demo at Threatlocker.com slash N2K today.
So, just so I'm clear here, like, is the notion that, as you,
you say, these are developed for high-level organizations, high-level customers, presumably for
targeted espionage. And so your average user probably wouldn't be targeted by this, wouldn't
know that something like this exists. And because it's so targeted, it could fly under the
radar for a long time until it reaches that secondary market where it gets broader visibility.
Exactly. And also it's targeted in a different way at that point. Like if we consider, let's take a case like Pegasus, right?
Yeah. Pegasus, developed by NSO group, sold to governments, presumably law enforcement agencies and intelligence agencies, who then either misuse it or use it for quote unquote appropriate national security purposes.
that's what these tools are designed for really in the end right
they're designed to do law enforcement
they're designed to help track terrorists
they're abused in many cases to track civil society
and to track innocent victims
but that depends in many cases on what the government's doing with it
now those have regulations around them
at the end of the day like they they have dual use customs
rules that are around the sale of such tools
tooling. You know, there's the European Commission. It tries to put the kibosh on them being able to sell certain parts of the tooling within the EU. They're trying to regulate it. There's sanctions. Like, there's a lot of stuff going on with that market. For entities that exist outside of that rule of law, for example, like, how concerned is Russia with international law?
Right.
You know, or maybe China in some cases, right?
Like there's a whole other market here that hasn't really been well explored,
these commercial surveillance vendors of exploit brokers.
And the people who are doing exploit development,
you know, a lot of them, maybe they don't care how they're tooling this use at the end of the day.
Maybe they're just interested in making a couple extra million.
It's understandable, right?
So these exploits are basically being sold.
into an
unregulated, like a
completely
unregulated
territory where
the,
I guess the
biggest incentive is
money.
And that includes
for the exploit broker
themselves.
Like if you look at
Karuna and you
look at Darksword,
both of them
were edited to
include financial theft,
to include the
targeting of
cryptocurrency.
And this isn't
something that you'd
see a government
developing,
really,
unless it's
North Korea.
So in that case,
like,
we know that
something was added
to this tool
it was probably added to increase the market
so that more people would be willing to buy the tooling
and use it.
Like it speaks to a completely different use case
and it makes the,
I guess the profile of the victim,
it greatly expands it beyond,
you know,
you're a civil society person protesting against a corrupt government
or you're a terrorist or you're a criminal, you know?
It really expands who the potential victims are.
Yeah.
Well, you mentioned that this activity is linked to UNC 6353.
What can you tell us about them?
What do we know?
Not much.
You know, we've got some ideas of their targeting.
We've got some ideas of their level of technical expertise just based on what we've been
able to observe.
They're not tied to any known threat group that we know of.
And as far as I know, Google also believes the same.
And I verify also believes the same since we all worked on this research together.
You know, we haven't been able to tie it to an APT-29 or a Turla, etc.
But there are interesting things around this story.
Like, one, all of the observed attacks by this group were in Ukraine.
They were targeting cryptocurrency as well as intelligence gathering.
Now, we have seen in the past some targeting of cryptocurrency on mobile
by a Russian APT.
In that case, it was the sandworm APT
that targeted,
they used a tool called infamous chisel,
which targeted Android,
and it was specifically targeting Ukrainians.
Besides that, we haven't really seen anything.
However, Russia has a long history now
of using proxy criminal elements
to conduct campaigns,
kind of like a privateer model,
a modern-day privateer model.
And they've done this with multiple ransomware groups,
groups who have targeted entities in Ukraine, they've conducted financial theft, they've
performed ransomware attacks, whiper attacks, etc. And one interesting thing is, like I mentioned
before, these exploits probably came from Operation Zero. Operation Zero was recently sanctioned by
the U.S. government. And in the sanctions, they mentioned two of the associates of the CEO of
Operation Zero.
And those two associates are part of the trick-bought ransomware group.
So essentially, you have a Russian criminal entity, cybercrime entity that has direct connections
to an exploit broker that has pretty much been proven to have resold some of these exploits
to UNC 6353 at least, possibly to this Chinese group, UNC 6691 as well.
there are a lot of connections in that market.
There's a lot of coincidences.
And I do think that it wouldn't be,
you know, we have no guarantee of this of who they are,
but I don't think it would be outside of the norm
that they could potentially be one of these cybercrime proxy groups.
Like they don't necessarily have to be a Russian APT.
They could be because the tooling conducts financial theft
and it conducts espionage.
But there were indicators also in the code itself,
in how easy it was to find
and the fact that none of it was
obfuscated. Some of it
seemed like boilerplate demo
like server infrastructure that
was probably just set up for them.
There are signs that
perhaps they aren't as technically capable
as some of these top-tier
Russian APPs, which makes me doubt
that it's one of them. But we have
no confirmation.
That's interesting.
So what are your recommendations then?
I mean, how the defenders
in our
audience, what should they do with this information, with these revelations?
I really think that it drives home the idea that, you know, a mobile endpoint is an endpoint.
And it seems silly to say, but typically we don't provide the same kind of security and visibility into mobile
endpoints, right? And these stories about like advanced iOS malware, the Predators and
hegasuses of the world.
There's always been this kind of trope that they,
that, you know, you're not going to be targeted by it.
It's going to be some, it's going to be a reporter.
It's going to be an activist.
You know, the categories that I mentioned earlier,
an opposition politician.
One, we always knew that wasn't exactly true.
Like what we'd seen in some organizations,
individuals get targeted by this malware.
In the past, this is before Dark Sword
and before Karina.
But now, for example,
DarkSword was leaked on GitHub,
like anyone can take it and use it.
So for an organization,
beyond, of course, updating your devices,
beyond using lockdown mode,
there's other threats.
We see that iOS devices are twice as likely
to fall for a phishing link than an Android user,
for example, in our data.
There was a report that just went
recently about SIO Spa. It's an Italian CSV commercial surveillance vendor that used
WhatsApp clones, basically trojanized WhatsApp versions that they delivered as an
application to iOS devices. They tricked users into downloading them. You have
social engineering that occurs vishing, quishing, etc. that these people are still
susceptible to. So the big question is like if you get infected by it, one of the
these as an organization, how do you know?
There's no visibility.
You're reliant on the protections that the OS provides you.
Typically, an organization has at least an MDM, but an MDM is managing and it's not security.
So for me, like the big takeaway is that these devices need visibility, signals need to be
fed into the SOC.
Security needs to be part of it, not just the mobility team, because a lot of times mobility
is the only organization that's handling mobile devices
or the only team that's handling mobile devices
in an organization. And for me, that's wrong.
For me, security needs to be involved.
They need to be able to see these signals.
So you need to deploy solutions
that enable organizations to be able to see that data,
to be able to see what kind of threats
are being targeted at the device.
And how readily available are those kinds of solutions?
Oh, they're available, for sure.
Sure. If you look up mobile EDR, if you look up mobile threat defense is another category that it's often called.
You know, we have a solution at Lookout, of course, that's our bread and butter, really.
Yeah. Beyond our intelligence. But there are other, our competitors also have solutions. Even some of the big players in the game of endpoint defense have some solutions that will at least provide some visibility.
in many cases only for Android or better on Android.
But in some cases, like with ours and with some others,
you have iOS and Android capabilities
that will at least provide visibility
and will provide some protections against even the minimal threats.
Help me understand an element of this.
When Apple comes at a problem like this,
when they deliver their patches,
and forgive me if this is an unfair question,
but are they generally
shutting down this specific
exploit or is it likely that they're
able to shut off more of a category of things?
Do you see where I'm going?
Vulnerabilities can have multiple exploits, right?
Like you can have three different people
writing an exploit for the same vulnerability
and they might come at it from different ways.
So in a way it does shut off categories
but let's call them very small categories.
Like, you know, they won't be able to shut down all threats to WebKit, like I mentioned
earlier.
They can harden it a lot.
They can find new vulnerabilities and continue to patch it.
But at the end of the day, you have a lot of exploit researchers and who are there trying
to find new ways to take advantage of it.
So they don't really cut off an entire category, but maybe subcategories, maybe by fixing
being able to patch one of these vulnerabilities,
they take care of a bundle of exploits,
but not all of them that are targeting
that specific portion of technology
is probably the way I'd put it.
I see.
All right, well, Justin, I think I have everything I need
for our story here.
Is there anything I missed?
Anything I haven't asked you
that you think it's important to share?
You know, just going back to what I've saying
with that secondhand exploit market.
Like for me, that's the thing
that I would love that people take away from this is the fact that these things make it into
the wild and it should be part of a security posture.
People should be thinking about what targets their mobile devices and understand that
these are no longer tools that are just in the hands of a few government entities that are
interested in conducting espionage, right?
They can be used for a lot of other purposes now.
And that environment exists, the pipeline exists, it will be reused.
So just that takeaway.
Our thanks to Justin Albrecht from Lookout for joining us.
The research is titled,
Attackers Weielding Darksword Threaten iOS users.
We'll have a link in the show notes.
And that's Research Saturday, brought to you by N2K Cyberwire.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights
that keep you a step ahead in the rapidly changing
world of cybersecurity. If you like our show, please share a rating and review in your favorite
podcast app. Please also fill out the survey in the show notes or send an email to cyberwire
at n2k.com. This episode was produced by Liz Stokes. We're mixed by Elliot Peltzman and Trey Hester.
Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher, and I'm Dave Bittner.
Thanks for listening. We'll see you back here next time.