The spyware, known as DarkSword, was observed targeting entities in Malaysia, Ukraine, Saudi Arabia and Turkey, and was uncovered by investigators shortly after they exposed another exploit kit, Coruna, linked to the same infrastructure.
Researchers at iVerify, working with Google and Lookout, said DarkSword could compromise vulnerable iPhones through hacked legitimate websites and siphon off highly sensitive data, including messages, call logs, location history, notes and health records.
The attack uses a watering hole tactic in which perpetrators compromise websites a victim is likely to visit and use them to silently try to break into the individual’s phone.
Google’s Threat Intelligence Group (GTIG) said multiple commercial surveillance vendors and suspected state-linked actors had used DarkSword, including activity linked to Turkish spyware vendor PARS Defence and a suspected Russian espionage group known as UNC6353.
“GTIG has identified several different users of the DarkSword exploit chain dating back to November 2025,” Google said in a threat intelligence report last week.
