Lookout has uncovered DarkSword, a sophisticated iOS exploit chain and infostealer that points to a serious shift in the mobile threat landscape. More importantly, the discovery shows how advanced mobile exploits are no longer limited to state-backed espionage. Instead, attackers are increasingly using these capabilities for financial gain, while AI is helping them scale attacks faster and with greater precision.

According to Lookout Threat Labs, DarkSword targets iPhones running iOS versions 18.4 through 18.6.2. The exploit uses a “hit-and-run” method to steal highly sensitive data, including credentials and cryptocurrency wallets, within minutes. After that, it erases signs of its activity to avoid detection. As a result, organizations face a growing challenge in identifying and stopping these attacks before significant damage occurs.

Lookout conducted the investigation in collaboration with Google and iVerify. While Google had previously reported infrastructure linked to UNC6353, Lookout expanded the analysis by closely examining the attacker’s malicious infrastructure and advanced data exfiltration modules. In particular, the company identified command-and-control servers and the specific “hit-and-run” logic used to steal credentials and cryptocurrency wallets. Because of this deeper mobile threat intelligence, researchers gained a clearer picture of the campaign’s true scale and its financially motivated objectives.

The company also noted that this campaign reflects a broader trend in mobile-focused cybercrime. Lookout’s visibility into mobile threats helped add important context to activity associated with UNC6353, which it described as a well-funded, likely Russian-linked threat actor. Furthermore, the joint effort with Google and iVerify highlights how platform intelligence and specialized mobile threat research can work together to uncover highly sophisticated attacks.

DarkSword stands out not simply as another malware discovery, but as evidence of a structural change in how cybercriminals operate. Mobile devices now function as the main control centers for identity, access, and financial assets. Therefore, they have become one of the most valuable targets for attackers. At the same time, many enterprises still lack the tools and visibility needed to secure this expanding attack surface effectively.

“DarkSword represents a notable shift that we’ve predicted for years,” said Justin Albrecht, global director of mobile threat intelligence at Lookout. “Advanced mobile malware has ceased to be a tool wielded solely by governments for espionage and is now in the hands of groups seeking financial gain. Between the rise in social engineering attacks targeting mobile devices and the availability of tools like DarkSword, it’s time to take mobile security seriously and ensure that security teams have visibility into the increasing volume of threats targeting their mobile endpoints.”

Lookout said DarkSword is a highly engineered exploit chain that uses vulnerabilities in Safari and WebGPU to break out of the iOS sandbox and execute privileged code. Once active, it can quickly gather a wide range of information. This includes messages from SMS, iMessage, WhatsApp, and Telegram, as well as email and saved credentials. In addition, it can collect iCloud files, notes, photos, cryptocurrency wallets, WiFi credentials, location history, and call logs. Since its “hit-and-run” design keeps dwell time short, attackers can steal valuable information and disappear before traditional tools react.

Lookout added that its customers are protected against DarkSword through Safe Browsing and Device Compromise Detection. At the same time, the company strongly advised organizations to update devices to the latest iOS versions, specifically 18.7.3 or later, or 26.3 or later, and to retire unsupported devices. This guidance underscores the urgent need for patching and lifecycle management in mobile security programs.

The company further stressed that mobile risk is now directly tied to business risk. Because mobile devices connect users to both personal and enterprise environments, a compromise can quickly affect sensitive operations, corporate systems, and financial assets. Yet many businesses still depend on security strategies designed for traditional endpoints and networks rather than always-connected, identity-rich mobile devices.

“The emergence of exploit chains like DarkSword highlights a shift in the mobile threat landscape, with attacks requiring little to no user interaction,” said Mike Jude, Research Director at IDC. “As mobile devices serve as gateways to both personal and enterprise data, mobile risk has become business risk and organizations must recognize that traditional security approaches are insufficient. To reduce exposure, organizations should have proactive mobile security, including monitoring, device management, and rapid patching.”

Lookout believes its ability to uncover DarkSword comes from its AI-driven mobile intelligence model. The company said its platform draws insight from more than 200 million devices, over 400 million mobile applications, and more than 567 million analyzed URLs. Consequently, that scale gives security teams stronger visibility into phishing, credential theft, social engineering, and other mobile-first threats. Overall, the DarkSword discovery reinforces a critical message for enterprises: mobile security can no longer remain a secondary priority in modern cyber defense.

Recommended Cyber Technology News:

To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com