Google researchers have uncovered an active iOS exploit chain, referred to as DarkSword, that chains together six distinct vulnerabilities to deploy malware on iPhones. The exploit affects devices running iOS versions 18.4 through 18.7. Researchers say the threat is already being used against real users in the wild.
The attack is triggered when a user on a vulnerable device visits a malicious or compromised website. From there, DarkSword deploys a JavaScript-based data-stealing tool called Ghostblade. Ghostblade is specifically engineered to locate and extract data from major cryptocurrency applications.
Among the targeted platforms are prominent crypto exchanges including Coinbase, Binance, Kraken, Kucoin, OKX, and MEXC. Ghostblade also searches for widely used crypto wallet applications such as Ledger, Trezor, MetaMask, Exodus, Uniswap, Phantom, and Gnosis Safe. The malware’s scope extends well beyond crypto assets alone.
In addition to targeting financial applications, Ghostblade simultaneously harvests a broad range of personal data from infected devices. This includes SMS and iMessage communications, call history, contacts, Wi-Fi passwords, Safari cookies and browsing history, location data, health data, and photos. Saved passwords and message histories from Telegram and WhatsApp are also collected.
Researchers note that Ghostblade is built for rapid data extraction rather than prolonged surveillance. Once it has gathered all accessible information, the malware deletes its temporary files and shuts itself down. This design makes it harder to detect after the fact.
Multiple threat actors are believed to be deploying DarkSword, spanning commercial spyware vendors and state-backed groups. Observed campaigns include one in Saudi Arabia using a counterfeit application designed to resemble Snapchat, and another in Ukraine conducted through compromised websites, one of which belonged to a government entity. The breadth of actors involved suggests the exploit has been made available across different groups.
The discovery is part of a broader pattern of malware campaigns directed at cryptocurrency users. Previous incidents include the Inferno Drainer malware, which reportedly stole approximately nine million dollars from crypto users over a six-month span last year, as well as a separate campaign involving counterfeit Android smartphones that came pre-loaded with crypto-stealing software. The emergence of DarkSword underscores the continued and growing interest among threat actors in targeting digital asset holders.
Originally reported by Decrypt.
