DarkSword operators phishing and watering-hole campaign
Campaign
Summary
Hide ▲
Show ▼
DarkSword operators ran a cross-border phishing and watering-hole campaign using an iPhone exploit chain against users in Saudi Arabia and Ukraine, with additional activity in Turkey and Malaysia since November 2025. The operation matters because the chain can fully compromise devices, exfiltrate data, and even target cryptocurrency wallets. The recurring lures and region-specific targeting point to an active campaign rather than a one-off exploit use.
Related Happenings
WebKit memory corruption, out-of-bounds write, and use-after-free flaws (multiple vulnerabilities)
Vulnerability
H score1
First: 30.06.2026 10:15
Last: 30.06.2026 10:15
Sources 1
About this happening:
**WebKit** now has four patched vulnerabilities, including **CVE-2026-43707**, **CVE-2026-43716**, **CVE-2026-43745**, and **CVE-2026-43715**, that can be triggered by **malicious...
WebKit memory corruption, out-of-bounds write, and use-after-free flaws (multiple vulnerabilities)
VulnerabilityAbout this happening: **WebKit** now has four patched vulnerabilities, including **CVE-2026-43707**, **CVE-2026-43716**, **CVE-2026-43745**, and **CVE-2026-43715**, that can be triggered by **malicious...
Triad Nexus investment scam and brand impersonation campaign targeting emerging markets
Campaign
H score33
First: 14.04.2026 15:00
Last: 14.04.2026 15:00
Sources 1
About this happening:
The **Triad Nexus** campaign is continuing to run **large-scale investment scams** and **brand impersonation**, expanding into **emerging markets** and driving higher fraud losses...
Triad Nexus investment scam and brand impersonation campaign targeting emerging markets
CampaignAbout this happening: The **Triad Nexus** campaign is continuing to run **large-scale investment scams** and **brand impersonation**, expanding into **emerging markets** and driving higher fraud losses...
Operation Triangulation updated iPhone espionage campaign
Campaign
H score41
First: 26.03.2026 15:10
Last: 26.03.2026 15:10
Sources 1
About this happening:
The **Operation Triangulation** espionage lineage has resurfaced through **Coruna**, extending **zero-click iPhone** targeting to newer **A17** and **M3** devices and **iOS 17.2**...
Operation Triangulation updated iPhone espionage campaign
CampaignAbout this happening: The **Operation Triangulation** espionage lineage has resurfaced through **Coruna**, extending **zero-click iPhone** targeting to newer **A17** and **M3** devices and **iOS 17.2**...
Coruna watering-hole and fake-site exploitation campaign
Campaign
H score44
First: 26.03.2026 13:07
Last: 26.03.2026 13:07
Sources 1
About this happening:
A suspected **Russia-aligned nation-state actor** is using **Coruna** in **watering-hole attacks in Ukraine** and a **mass exploitation campaign**, expanding the kit’s abuse beyon...
Coruna watering-hole and fake-site exploitation campaign
CampaignAbout this happening: A suspected **Russia-aligned nation-state actor** is using **Coruna** in **watering-hole attacks in Ukraine** and a **mass exploitation campaign**, expanding the kit’s abuse beyon...
Perseus IPTV-lure distribution campaign targeting Europe and the Middle East
Campaign
H score36
First: 19.03.2026 14:43
Last: 19.03.2026 14:43
Sources 1
About this happening:
The **Perseus** distribution campaign is actively pushing **Android malware** through **phishing sites** and **IPTV-lure apps**, increasing the risk of **device takeover** and **f...
Perseus IPTV-lure distribution campaign targeting Europe and the Middle East
CampaignAbout this happening: The **Perseus** distribution campaign is actively pushing **Android malware** through **phishing sites** and **IPTV-lure apps**, increasing the risk of **device takeover** and **f...
Timeline
-
18.03.2026 23:15 2 articles · 3mo ago
DarkSword operators phishing and watering-hole campaign
Initial DisclosureIn **November 2025**, a **phony website promising secure Snapchat messaging** was used to target **Saudi Arabian users**. Around the same period, **watering hole attacks** were used against **Ukrainian users**, showing the campaign's early multi-lure pattern.
Show sources
- DarkSword: iPhone Exploit Kit Serves Spies & Thieves Alike — www.darkreading.com — 18.03.2026 23:15
- DarkSword: iPhone Exploit Kit Serves Spies & Thieves Alike — www.darkreading.com — 18.03.2026 23:15