Lookout Uncovers DarkSword iOS Exploit Chain, Exposing a New Era of Mobile Threats

World’s Largest Mobile Threat Intelligence Dataset Powers Discovery of Hit-and-Run Exploit Targeting iOS Users and Cryptocurrency Assets

BOSTON--(BUSINESS WIRE)--Lookout, Inc., the leader in mobile security, today announced the discovery of DarkSword, a sophisticated, full iOS exploit chain and infostealer that signals a new phase in mobile threats—where advanced exploit capabilities are increasingly leveraged for financial gain, and where AI is dramatically accelerating the scale and precision of these attacks.

Discovered by Lookout Threat Labs, DarkSword targets iPhones running iOS versions 18.4 through 18.6.2, using a “hit-and-run” technique to rapidly exfiltrate highly sensitive data—including credentials and cryptocurrency wallets—within minutes before erasing its presence to evade detection.

The investigation was conducted in collaboration with Google and iVerify, with Lookout contributing independent research and mobile threat analysis throughout the effort. Building on UNC6353 infrastructure previously reported by Google, Lookout researchers significantly advanced the characterization of the DarkSword campaign by analyzing the attacker's malicious infrastructure and the sophisticated data exfiltration modules. By identifying the command-and-control (C2) servers and the specific "hit-and-run" logic used to lift sensitive credentials and cryptocurrency wallets, Lookout uncovered the critical mobile security intelligence necessary to map the campaign’s true scope and financially motivated intent.

Building on previously reported UNC6353 infrastructure, Lookout researchers helped to advance the understanding of the DarkSword exploit chain and its broader operational context. The company’s mobile security visibility and research expertise routinely support the identification and analysis of sophisticated mobile threats, providing important context for assessing campaigns such as those associated with UNC6353 — a well-funded, likely Russian-linked threat actor. This collaboration highlights the value of combining platform intelligence, and mobile-focused threat research to expose increasingly sophisticated mobile attacks.

A Breakthrough in Mobile Intelligence, Not Just Malware Discovery

DarkSword is not just another exploit—it is evidence of a structural shift in the mobile threat landscape.

Mobile devices have become the primary control plane for identity, access, and financial assets, making them the most valuable—and least instrumented—attack surface in the enterprise. DarkSword demonstrates how quickly attackers can weaponize that gap.

“DarkSword represents a notable shift that we've predicted for years,” said Justin Albrecht, global director of mobile threat intelligence at Lookout. “Advanced mobile malware has ceased to be a tool wielded solely by governments for espionage and is now in the hands of groups seeking financial gain. Between the rise in social engineering attacks targeting mobile devices and the availability of tools like DarkSword, it's time to take mobile security seriously and ensure that security teams have visibility into the increasing volume of threats targeting their mobile endpoints.”

About the DarkSword Exploit

DarkSword is a highly engineered exploit chain leveraging vulnerabilities in Safari and WebGPU to escape the iOS sandbox and execute privileged code. Once deployed, it rapidly collects and exfiltrates:

• Identity & Communications: SMS/iMessage, WhatsApp/Telegram, email, saved credentials
• Corporate & Personal iCloud files, notes, photos, cryptocurrency wallets
• Device Intelligence: WiFi credentials, location history, call logs

Its “hit-and-run” design minimizes dwell time, allowing attackers to extract high-value data and disappear before traditional detection methods can respond.

Lookout customers are protected against DarkSword through Safe Browsing and Device Compromise Detection, and we strongly advise all organizations to update to the latest iOS versions (≥18.7.3 or ≥26.3) and retire unsupported devices.

Mobile Risk is Business Risk

DarkSword underscores a critical truth: the enterprise perimeter has shifted to mobile. Yet most organizations still rely on security models built for endpoints and networks—not the always-on, identity-rich, user-driven nature of mobile devices.

“The emergence of exploit chains like DarkSword highlights a shift in the mobile threat landscape, with attacks requiring little to no user interaction,” said Mike Jude, Research Director at IDC. “As mobile devices serve as gateways to both personal and enterprise data, mobile risk has become business risk and organizations must recognize that traditional security approaches are insufficient. To reduce exposure, organizations should have proactive mobile security, including monitoring, device management, and rapid patching.”

Lookout closes this gap with mobile endpoint detection and response (EDR) powered by the industry’s most comprehensive mobile dataset—giving security teams the visibility and control required to defend against modern, cross-platform threats.

The Lookout Intelligence Advantage

Lookout’s ability to uncover DarkSword is rooted in a fundamentally different approach to security—one built on continuous, AI-driven mobile intelligence, not episodic analysis.

• Unmatched Mobile Telemetry at Global Scale
  Lookout’s platform is trained on insights from over 200 million devices and more than 400 million mobile applications, creating the largest mobile threat intelligence dataset in the world. This scale enables early detection of emerging exploit patterns before they become widespread.

• Deep Visibility into Mobile-Centric Attack Vectors
  Having analyzed more than 567 million URLs, Lookout has unique insight into phishing, credential harvesting, and social engineering attacks that originate on mobile—where traditional security controls lack visibility.

• Mobile-Native by Design
  Lookout was built specifically for mobile environments—long before iOS and Android became the fastest-growing vectors for identity compromise. This foundation enables detection of threats that operate across apps, networks, and user behavior—not just malware artifacts.

• From Intelligence to Enforcement in Real Time
  Unlike tools that rely on manual, high-friction forensic workflows on a limited set of devices, Lookout operationalizes intelligence across the enterprise—automatically enforcing policy through integrations with MDM, IAM, and SOC workflows to stop threats as they happen.

About Lookout

Lookout is the recognized leader in mobile security, trusted by governments, enterprises, and small businesses worldwide. The company pioneered the mobile security industry in 2009 and has built the largest and most advanced dataset in the market, protecting over 235 million devices and analyzing over 400 million apps. Powered by AI-driven mobile threat intelligence and supported by a world-class research team, Lookout delivers unmatched protection and proactive threat detection.

As mobile devices become the primary gateway to corporate identity and data, organizations face growing blind spots. Traditional security tools leave SOC teams without critical visibility into mobile risks, rendering them vulnerable to sophisticated cross-platform social engineering attacks. Lookout’s Mobile EDR closes this gap by providing real-time threat detection, investigation, and response, enabling security teams to stay ahead of evolving threats and keep their organizations safe. To learn more, visit www.lookout.com and follow Lookout on our blog, LinkedIn and X.

© 2026 Lookout, Inc. LOOKOUT®, the Lookout Shield Design®, LOOKOUT with Shield Design® and the Lookout multi-color/multi-shaded Wingspan Design® are registered trademarks of Lookout, Inc. in the United States and other countries. DAY OF SHECURITY®, LOOKOUT MOBILE SECURITY®, and POWERED BY LOOKOUT® are registered trademarks of Lookout, Inc. in the United States. Lookout, Inc. maintains common law trademark rights in EVERYTHING IS OK, PROTECTED BY LOOKOUT, CIPHERCLOUD, and the 4 Bar Shield Design.

Contact Lookout PR: press@lookout.com

The post Lookout Uncovers DarkSword iOS Exploit Chain, Exposing a New Era of Mobile Threats appeared first on Crypto Reporter.