A likely Russia-linked actor deployed a sophisticated iPhone hacking tool called DarkSword to target Ukrainian users via compromised websites, enabling rapid theft of sensitive data with little to no user interaction. The hit-and-run campaign attributed to UNC6353 exfiltrated emails, messages, photos, credentials and cryptocurrency wallet data before deleting itself, and Apple patched the exploited vulnerabilities in late 2025. #DarkSword #UNC6353
Keypoints
- DarkSword is a powerful iPhone exploit that can break into devices with minimal user interaction and extract data within minutes.
- The activity is attributed to UNC6353 and has run since at least late 2025, using watering-hole attacks against Ukrainian websites.
- Compromised targets included a regional news outlet, a local court site, and possibly a Ukrainian food processing company.
- The campaign operated on a hit-and-run model, rapidly exfiltrating data and then erasing traces, and targeted crypto platforms and wallets like Coinbase, Binance, Kraken, MetaMask and Ledger.
- Researchers believe the attackers leveraged high-end purchased exploits and modular tooling, and Apple released patches for the flaws in late 2025.
Read More: https://therecord.media/russia-linked-hackers-use-iphone-exploit-ukraine