World’s Largest Mobile Threat Intelligence Dataset Powers Discovery of Hit-and-Run Exploit Targeting iOS Users and Cryptocurrency Assets
Lookout, Inc., the leader in mobile security, today announced the discovery of DarkSword, a sophisticated, full iOS exploit chain and infostealer that signals a new phase in mobile threats—where advanced exploit capabilities are increasingly leveraged for financial gain, and where AI is dramatically accelerating the scale and precision of these attacks.
Discovered by Lookout Threat Labs, DarkSword targets iPhones running iOS versions 18.4 through 18.6.2, using a “hit-and-run” technique to rapidly exfiltrate highly sensitive data—including credentials and cryptocurrency wallets—within minutes before erasing its presence to evade detection.
The investigation was conducted in collaboration with Google and iVerify, with Lookout contributing independent research and mobile threat analysis throughout the effort. Building on UNC6353 infrastructure previously reported by Google, Lookout researchers significantly advanced the characterization of the DarkSword campaign by analyzing the attacker’s malicious infrastructure and the sophisticated data exfiltration modules. By identifying the command-and-control (C2) servers and the specific “hit-and-run” logic used to lift sensitive credentials and cryptocurrency wallets, Lookout uncovered the critical mobile security intelligence necessary to map the campaign’s true scope and financially motivated intent.
Building on previously reported UNC6353 infrastructure, Lookout researchers helped to advance the understanding of the DarkSword exploit chain and its broader operational context. The company’s mobile security visibility and research expertise routinely support the identification and analysis of sophisticated mobile threats, providing important context for assessing campaigns such as those associated with UNC6353 — a well-funded, likely Russian-linked threat actor. This collaboration highlights the value of combining platform intelligence, and mobile-focused threat research to expose increasingly sophisticated mobile attacks.
A Breakthrough in Mobile Intelligence, Not Just Malware Discovery
DarkSword is not just another exploit—it is evidence of a structural shift in the mobile threat landscape.
Mobile devices have become the primary control plane for identity, access, and financial assets, making them the most valuable—and least instrumented—attack surface in the enterprise. DarkSword demonstrates how quickly attackers can weaponize that gap.
“DarkSword represents a notable shift that we’ve predicted for years,” said Justin Albrecht, global director of mobile threat intelligence at Lookout. “Advanced mobile malware has ceased to be a tool wielded solely by governments for espionage and is now in the hands of groups seeking financial gain. Between the rise in social engineering attacks targeting mobile devices and the availability of tools like DarkSword, it’s time to take mobile security seriously and ensure that security teams have visibility into the increasing volume of threats targeting their mobile endpoints.”
