DarkSword: The Hit-and-Run Successor to the Coruna iOS Exploit Kit

Recent threat intelligence from Google has unveiled DarkSword, a highly sophisticated new iOS exploit kit. Deployed by the same threat actors behind the Coruna spyware, DarkSword represents a dangerous evolution in mobile attacks. While Coruna focused on long-term surveillance of older devices, DarkSword targets newer operating systems (18.4 through 18.7) using aggressive, financially motivated "hit-and-run" tactics. Currently, intelligence links active DarkSword campaigns to state-sponsored and commercial surveillance actors heavily targeting users in Ukraine, Saudi Arabia, Turkey, and Malaysia.

A Conceptual Shift in Mobile Exploitation

Unlike traditional spyware that attempts to hide on a device for months, DarkSword is designed for maximum speed and zero footprint. The attack unfolds conceptually in three rapid stages:

1. The Trap: Victims are infected simply by visiting compromised legitimate websites, known as watering hole attacks.
2. The Breach: Behind the scenes, the kit executes a complex chain of vulnerabilities. It silently breaks out of the web browser, pivots through the device's graphics processing systems, and ultimately compromises the core kernel to gain full control.
3. The Heist: Operating entirely in memory, DarkSword rapidly force-loads scripts to exfiltrate highly sensitive data. While it steals standard espionage data like secure messages, its primary targets are cryptocurrency wallets and authentication credentials.

Within minutes, the data is stolen, and the malware wipes its tracks and vanishes. Because it leaves no traditional binary implants behind, incident responders face a drastically narrowed window of detection.

How Zimperium Provides Multi-Layered Defense

This evolution proves that waiting for OS patches or relying on traditional, signature-based anti-malware is no longer sufficient against top-tier threat actors. Zimperium Mobile Threat Defense (MTD) protects organizations through a proactive, layered approach:

• Pre-Exploitation Web Protection: Zimperium’s anti-phishing and web content filtering blocks connections to malicious infrastructure, stopping the exploit before the initial payload is ever delivered.
• On-Device Behavioral Detection: Complex exploit chains inherently cause system instability which manifest through processes crashing, high memory usage or filesystem artifacts.
• Network Anomalies: One of the main purposes of spyware is to perform some sort of data exfiltration. This manifests itself as different types of network anomalies.
• Deep Forensic Analysis: While hit-and-run JavaScript attacks are designed to leave no traditional binary footprint, Zimperium's advanced forensic capabilities analyze transient system artifacts, memory anomalies, and targeted daemon crash logs (such as WebKit or mediaplaybackd) to reconstruct the attack timeline and verify the exact extent of the compromise.

Our findings align with a growing body of intelligence suggesting the DarkSword exploit kit is being leveraged on a global scale. Similar malicious activity and indicators of compromise (IoCs) have been identified in several regions beyond the initial clusters reported in Ukraine, Turkey, and Saudi Arabia. The 'hit-and-run' nature of these attacks—which prioritize the rapid exfiltration of messaging and cryptocurrency data followed by immediate self-deletion—suggests that the telemetry observed in Malaysia represents the local expansion of a wider, distributed campaign targeting unpatched iOS devices (v18.4 through 18.7).

As threat actors shift toward agile, memory-only attacks, Zimperium ensures your enterprise mobile endpoints remain secure against the most advanced threats.