Russia-Linked Actor Deploys DarkSword iPhone Malware

Researchers at Lookout said on Wednesday that a likely Russia-linked threat actor has deployed DarkSword, a sophisticated iPhone malware, to target Ukrainian users since late 2025 through March 2026 via watering-hole websites. The tool rapidly exfiltrates emails, messages, photos, credentials and cryptocurrency wallet data within minutes and then erases traces; Apple patched the exploited vulnerabilities in late 2025.
Key Points
- 1DarkSword malware compromises iPhones via watering-hole exploits, exfiltrating emails, messages, photos, credentials, and crypto-wallet data.
- 2Researchers at Lookout link campaign to UNC6353, suggesting access to high-end exploits or commercial surveillance tools.
- 3Practitioners should prioritize patching, monitor watering-hole compromises, and protect keys for Coinbase, Binance, Kraken, MetaMask.
Scoring Rationale
Strong vendor-backed discovery with actionable mitigation, but geographically focused targeting and moderate technical disclosure limit universal applicability.
Sources
Public references used for this report.
Practice interview problems based on real data
1,625 SQL & Python problems across 15 industry datasets — the exact type of data you work with.
Try 250 free problems


