DarkSword — Coruna successor

The Coruna exploit kit, discovered in early March and targeting iPads and iPhones running iOS 13–17.2.1, now has a successor — DarkSword.

On March 18, after Apple patched the CVEs exploited by Coruna (on March 13) and the kit had already spread across the web, researchers from Lookout Threat Labs identified a new iOS exploit kit named DarkSword.

Like Coruna, DarkSword is used to steal a wide range of personal data, including saved passwords, photos, WhatsApp and Telegram data, crypto wallets, SMS messages, contacts, location, browser history, cookies, and more.

DarkSword targets iPhones running iOS 18.4–18.7 and is linked to the Coruna operators and the UNC6353 group. According to a report by iVerify, all vulnerabilities exploited by DarkSword, including use-after-free, out-of-bounds write, kernel copy-on-write flaws, and kernel privilege escalation bugs, are known and have already been patched by Apple in the latest iOS versions.

DarkSword attacks are triggered in the Safari browser, where the exploit kit grants operators kernel read/write access and then executes code via the main orchestrator component (pe_main.js). The orchestrator injects a JavaScript engine into privileged iOS services such as App Access, Wi-Fi, Springboard, Keychain, and iCloud, then activates modules for data theft.

💬 Discuss