Darksword iOS exploit kit and data-stealing activity
Malware Activity
Summary
Hide ▲
Show ▼
The Darksword iOS exploit kit is being used to steal personal information from iPhones, including cryptocurrency wallet data, making it a high-risk mobile infostealer operation. It targets devices running iOS 18.4 through 18.6.2 and enters through Safari using a chain of multiple exploits before loading its main orchestrator. Researchers link the activity to UNC6353 and say the toolkit can exfiltrate passwords, messages, photos, and other sensitive device data.
Related Happenings
NGate malware trojanized HandyPay NFC-stealing variant
Malware Activity
First: 21.04.2026 12:00
Last: 21.04.2026 12:00
Sources 1
About this happening:
A **new NGate variant** is stealing **NFC payment data** from **Android users in Brazil**, raising the risk of **unauthorized purchases** and **ATM cash withdrawals**. The malware...
NGate malware trojanized HandyPay NFC-stealing variant
Malware ActivityAbout this happening: A **new NGate variant** is stealing **NFC payment data** from **Android users in Brazil**, raising the risk of **unauthorized purchases** and **ATM cash withdrawals**. The malware...
Apple iOS 18.7.7 security update expansion for DarkSword
Security Patch Release
First: 02.04.2026 00:50
Last: 02.04.2026 00:50
Sources 1
About this happening:
Apple expanded **iOS 18.7.7** availability to more older **iPhones and iPads** on **April 1, 2026**, letting devices that stay on **iOS 18** receive protections against the **acti...
Apple iOS 18.7.7 security update expansion for DarkSword
Security Patch ReleaseAbout this happening: Apple expanded **iOS 18.7.7** availability to more older **iPhones and iPads** on **April 1, 2026**, letting devices that stay on **iOS 18** receive protections against the **acti...
Infinity Stealer macOS infostealer activity
Malware Activity
First: 28.03.2026 16:35
Last: 28.03.2026 16:35
Sources 1
About this happening:
**Infinity Stealer** is a **macOS infostealer** being delivered through a **ClickFix** lure and is able to steal high-value credentials and secrets. The payload is compiled with *...
Infinity Stealer macOS infostealer activity
Malware ActivityAbout this happening: **Infinity Stealer** is a **macOS infostealer** being delivered through a **ClickFix** lure and is able to steal high-value credentials and secrets. The payload is compiled with *...
Operation Triangulation updated iPhone espionage campaign
Campaign
First: 26.03.2026 15:10
Last: 26.03.2026 15:10
Sources 1
About this happening:
The **Operation Triangulation** espionage lineage has resurfaced through **Coruna**, extending **zero-click iPhone** targeting to newer **A17** and **M3** devices and **iOS 17.2**...
Operation Triangulation updated iPhone espionage campaign
CampaignAbout this happening: The **Operation Triangulation** espionage lineage has resurfaced through **Coruna**, extending **zero-click iPhone** targeting to newer **A17** and **M3** devices and **iOS 17.2**...
Coruna iOS exploit analysis ties updated Triangulation kernel exploit lineage
Technical Analysis
First: 26.03.2026 15:10
Last: 26.03.2026 15:10
Sources 1
About this happening:
**Coruna** has been linked to an **updated** exploit lineage from **Operation Triangulation**, showing that a long-running iPhone attack framework continues to evolve and can stil...
Coruna iOS exploit analysis ties updated Triangulation kernel exploit lineage
Technical AnalysisAbout this happening: **Coruna** has been linked to an **updated** exploit lineage from **Operation Triangulation**, showing that a long-running iPhone attack framework continues to evolve and can stil...
Timeline
-
18.03.2026 16:02 1 articles · 2mo ago
Darksword iOS exploit kit disclosure and analysis
Initial DisclosureLookout Threat Labs, with Google’s Threat Intelligence Group and iVerify, details Darksword as a new iOS exploit kit and delivery framework used against iPhones running iOS 18.4 through 18.6.2 to steal personal information, including cryptocurrency wallet data. The analysis links the activity to UNC6353, describes a Safari-based exploit chain that reaches a main orchestrator component named pe_main.js, and says the operation can exfiltrate passwords, photos, WhatsApp and Telegram databases, browser history, Wi‑Fi credentials, Apple Health data, and other sensitive device information before wiping temporary files and exiting.
Show sources
- New “Darksword” iOS exploit used in infostealer attack on iPhones — www.bleepingcomputer.com — 18.03.2026 16:02