DarkSword operators phishing and watering-hole campaign
Campaign
Summary
Hide ▲
Show ▼
DarkSword operators ran a cross-border phishing and watering-hole campaign using an iPhone exploit chain against users in Saudi Arabia and Ukraine, with additional activity in Turkey and Malaysia since November 2025. The operation matters because the chain can fully compromise devices, exfiltrate data, and even target cryptocurrency wallets. The recurring lures and region-specific targeting point to an active campaign rather than a one-off exploit use.
Related Happenings
Triad Nexus investment scam and brand impersonation campaign targeting emerging markets
Campaign
First: 14.04.2026 15:00
Last: 14.04.2026 15:00
Sources 1
About this happening:
The **Triad Nexus** campaign is continuing to run **large-scale investment scams** and **brand impersonation**, expanding into **emerging markets** and driving higher fraud losses...
Triad Nexus investment scam and brand impersonation campaign targeting emerging markets
CampaignAbout this happening: The **Triad Nexus** campaign is continuing to run **large-scale investment scams** and **brand impersonation**, expanding into **emerging markets** and driving higher fraud losses...
Operation Triangulation updated iPhone espionage campaign
Campaign
First: 26.03.2026 15:10
Last: 26.03.2026 15:10
Sources 1
About this happening:
The **Operation Triangulation** espionage lineage has resurfaced through **Coruna**, extending **zero-click iPhone** targeting to newer **A17** and **M3** devices and **iOS 17.2**...
Operation Triangulation updated iPhone espionage campaign
CampaignAbout this happening: The **Operation Triangulation** espionage lineage has resurfaced through **Coruna**, extending **zero-click iPhone** targeting to newer **A17** and **M3** devices and **iOS 17.2**...
Coruna watering-hole and fake-site exploitation campaign
Campaign
First: 26.03.2026 13:07
Last: 26.03.2026 13:07
Sources 1
About this happening:
A suspected **Russia-aligned nation-state actor** is using **Coruna** in **watering-hole attacks in Ukraine** and a **mass exploitation campaign**, expanding the kit’s abuse beyon...
Coruna watering-hole and fake-site exploitation campaign
CampaignAbout this happening: A suspected **Russia-aligned nation-state actor** is using **Coruna** in **watering-hole attacks in Ukraine** and a **mass exploitation campaign**, expanding the kit’s abuse beyon...
Perseus IPTV-lure distribution campaign targeting Europe and the Middle East
Campaign
First: 19.03.2026 14:43
Last: 19.03.2026 14:43
Sources 1
About this happening:
The **Perseus** distribution campaign is actively pushing **Android malware** through **phishing sites** and **IPTV-lure apps**, increasing the risk of **device takeover** and **f...
Perseus IPTV-lure distribution campaign targeting Europe and the Middle East
CampaignAbout this happening: The **Perseus** distribution campaign is actively pushing **Android malware** through **phishing sites** and **IPTV-lure apps**, increasing the risk of **device takeover** and **f...
DarkSword iPhone exploit chain exploitation wave
Exploitation Wave
First: 18.03.2026 23:15
Last: 18.03.2026 23:15
Sources 1
How related:
"full-chain exploit that leveraged multiple zero-day vulnerabilities to fully compromise devices," and has been used by multiple commercial surveillance vendors and suspected state-sponsored threat actors to target users in Saudi Arabia, Turkey, Malaysia, and Ukraine since at least November 2025.
About this happening:
**DarkSword** is an **active iPhone exploitation wave** targeting **iOS 18.4 through iOS 18.7**, with **Apple** expanding **iOS 18.7.7** and **iPadOS 18.7.7** to more older device...
DarkSword iPhone exploit chain exploitation wave
Exploitation WaveHow related: "full-chain exploit that leveraged multiple zero-day vulnerabilities to fully compromise devices," and has been used by multiple commercial surveillance vendors and suspected state-sponsored threat actors to target users in Saudi Arabia, Turkey, Malaysia, and Ukraine since at least November 2025.
About this happening: **DarkSword** is an **active iPhone exploitation wave** targeting **iOS 18.4 through iOS 18.7**, with **Apple** expanding **iOS 18.7.7** and **iPadOS 18.7.7** to more older device...
Latest development: 02.04.2026 16:30
Apple broadened availability of iOS 18.7.7 and iPadOS 18.7.7 on April 1 to more devices still running iOS 18, including iPhone XR through iPhone 16 models, iPhone SE (2nd and 3rd generation), and multiple iPad models, so they can receive security patches against DarkSword web-based watering hole attacks that can deploy malware after a user visits a compromised website. Apple also began sending lock screen notifications to users running older software, urging installation of the latest security updates.
Timeline
-
18.03.2026 23:15 2 articles · 2mo ago
DarkSword operators phishing and watering-hole campaign
Initial DisclosureIn **November 2025**, a **phony website promising secure Snapchat messaging** was used to target **Saudi Arabian users**. Around the same period, **watering hole attacks** were used against **Ukrainian users**, showing the campaign's early multi-lure pattern.
Show sources
- DarkSword: iPhone Exploit Kit Serves Spies & Thieves Alike — www.darkreading.com — 18.03.2026 23:15
- DarkSword: iPhone Exploit Kit Serves Spies & Thieves Alike — www.darkreading.com — 18.03.2026 23:15