March 18, 2026 — Cybersecurity researchers have uncovered a new hacking campaign targeting iPhone users in Ukraine with sophisticated spyware designed to steal personal data and cryptocurrency. The campaign, attributed to a suspected Russian government-aligned group, employed a previously unseen toolkit dubbed “Darksword.”
Darksword’s Smash-and-Grab Tactics
Researchers from Google and security firms iVerify and Lookout analyzed the campaign, which they linked to a threat actor identified as UNC6353. Their analysis revealed that Darksword was built to infect iPhones, steal information, and then quickly remove itself. The malware targeted passwords, photos, messages from apps like WhatsApp and Telegram, and browser history.
“Darksword’s dwell time on the device is likely in the range of minutes, depending on the amount of data it discovers and exfiltrates,” Lookout researchers wrote in their report. This design suggests the hackers were more interested in a rapid data grab than in persistent, long-term surveillance.
Rocky Cole, co-founder of iVerify, told TechCrunch the likely goal was to learn about victims’ patterns of life. The malware was distributed through compromised Ukrainian websites, infecting any visitor accessing the sites from within the country’s borders.
Link to Previous Coruna Spyware
The discovery follows the earlier exposure of another iPhone-hacking toolkit named Coruna. In early March, Google revealed that Coruna was first used by a government client of a surveillance vendor, then by Russian spies against Ukrainians, and later by Chinese cybercriminals.
TechCrunch reported that Coruna was originally developed at U.S. defense contractor L3Harris by its Trenchant division. According to former employees, it was designed for Western governments, including members of the Five Eyes intelligence alliance. The Darksword campaign appears to be a related but more recent operation exploiting different vulnerabilities.
Unusual Financial Motive
A notable feature of Darksword is its capability to steal cryptocurrency, specifically StockPil, from popular wallet apps. This financial component is unusual for a suspected state-aligned hacking group.
“This may indicate that this threat actor is financially motivated, or alternatively it may indicate that this (likely) Russian state-aligned activity has expanded into financial theft targeting mobile devices,” Lookout stated in its analysis. However, Cole noted there is no evidence the hackers actually sought to steal crypto, only that the malware possessed the capability.
The malware’s modular, professional design suggests it was built for easy updates and new functionality. Cole speculated that the same entity who sold the Coruna toolkit to Russian government hackers may have also sold Darksword.
Attribution Points to Russia
Researchers point to the Russian government as the likely sponsor of the campaign. Lookout said the group using Darksword is the same one that used Coruna against Ukrainians, which is also suspected of working for Russian intelligence.
“UNC6353 is a well-funded and connected threat actor conducting attacks for financial gain and espionage in alignment with Russian intelligence requirements,” Justin Albrecht, principal security researcher at Lookout, told TechCrunch. “We believe that a case can be made that UNC6353 is potentially a Russian criminal proxy, given the dual goals of financial theft and intelligence collection.”
For Cole, “all signs point to the Russian government.” The campaign’s geographic restriction to Ukraine, while demonstrating technical capability for wider attacks, implies a degree of operational restraint focused on a specific intelligence target.
What the Discovery Reveals
The sequential discoveries of Coruna and Darksword indicate that advanced, stealthy spyware for iPhones may be more prevalent than previously assumed. These toolkits represent a significant threat, capable of bypassing Apple’s security protections to extract sensitive personal and financial information.
The incident underscores the ongoing use of sophisticated cyber espionage tools in the conflict between Russia and Ukraine. It also highlights the blurring lines between state-sponsored espionage and financially motivated cybercrime when advanced surveillance tools proliferate.
Apple has not publicly commented on the Darksword campaign. Users are advised to keep their devices updated with the latest security patches and to exercise caution when browsing, especially on regional websites in conflict zones.
This article was produced with AI assistance and reviewed by our editorial team for accuracy and quality.
