Russian Hackers Deploy Darksword Spyware Against Ukrainians in Latest iPhone Espionage Campaign

A suspected Russian government-affiliated hacking group has been caught deploying advanced iPhone spyware against Ukrainian targets, marking another escalation in the digital front of the Russia-Ukraine war. Cybersecurity researchers from Google’s Threat Analysis Group (TAG), security firm Lookout, and iPhone forensics company iVerify revealed on Thursday that a hacking campaign attributed to the threat actor UNC6353—widely believed to operate in alignment with Russian intelligence—used a newly discovered toolkit called Darksword to infiltrate Apple devices. The malware, designed to extract sensitive personal data and cryptocurrency wallet credentials, underscores the growing sophistication and accessibility of mobile surveillance technology, even as it raises serious questions about the weaponization of consumer technology in state-sponsored espionage.

Key Takeaways: What You Need to Know About Darksword Spyware

• Suspected Russian hackers (UNC6353) used Darksword spyware to target Ukrainians’ iPhones, stealing passwords, messages, and browser data.
• Darksword was designed for quick, covert data theft—operating for only minutes—unlike traditional persistent spyware.
• The malware also targeted cryptocurrency wallets, a rare move for government-linked hackers, suggesting possible financial motives.
• Researchers believe the same developers may have created Darksword and Coruna, a related iPhone hacking tool previously linked to Russian and Chinese actors.
• The campaign appears to have been delivered via compromised Ukrainian websites, infecting any visitor within Ukraine using an iPhone.

Inside the Darksword Spyware: How It Works and What It Steals

Darksword is a modular iPhone spyware toolkit that infiltrates devices through watering-hole attacks—compromised websites that lure specific users. According to researchers at Lookout and iVerify, the malware exploits unpatched vulnerabilities in Apple’s iOS to gain access, then rapidly extracts a trove of personal data before vanishing. Unlike traditional state-sponsored spyware like Pegasus, which maintains long-term access to devices, Darksword is engineered for ‘smash-and-grab’ operations, with a dwell time estimated at just “minutes,” depending on the volume of data discovered.

Once installed, Darksword harvests a comprehensive digital footprint: saved passwords, browsing history, photos, text messages, and conversations from encrypted apps like WhatsApp and Telegram. Rocky Cole, co-founder of iVerify, told TechCrunch that the hackers’ focus on capturing ‘pattern of life’ data suggests a strategic interest in understanding targets’ daily routines rather than continuous surveillance. ‘This isn’t about watching someone 24/7,’ Cole said. ‘It’s about getting in, getting what you need, and getting out.’

Cryptocurrency Theft: A New Frontier for State-Linked Hackers?

One of the most striking features of Darksword is its built-in capability to steal cryptocurrency from popular wallet apps such as Trust Wallet and MetaMask. While traditional state-sponsored hackers typically avoid financial theft—preferring to maintain clean operational security—Lookout’s researchers noted that Darksword’s dual functionality could indicate either a shift in tactics or the presence of a financially motivated proxy operating in Russia’s interests. ‘This may indicate that this threat actor is financially motivated, or alternatively it may indicate that this (likely) Russian state-aligned activity has expanded into financial theft targeting mobile devices,’ Lookout wrote in its technical analysis. However, Cole cautioned that there’s no concrete evidence the hackers actually followed through on crypto theft, only that the malware was capable of it.

Darksword and Coruna: A Family of Spyware with a Troubled Past

Darksword is not the first advanced iPhone hacking tool linked to Russian cyber operations. In early March 2024, Google TAG revealed details of a separate spyware suite called Coruna, which was originally developed by U.S. defense contractor L3Harris for Western intelligence agencies—specifically members of the Five Eyes alliance (the U.S., U.K., Canada, Australia, and New Zealand). According to former L3Harris employees who spoke to TechCrunch on condition of anonymity, Coruna was designed as a ‘lawful intercept’ tool for government use, enabling authorities to monitor suspects’ devices with judicial oversight.

But the tool’s lifecycle took a dramatic turn when it was repurposed. After being sold to a surveillance tech vendor, Coruna was reportedly used by Russian intelligence operatives targeting Ukrainians. Following that, it was deployed by Chinese cybercriminals seeking to steal cryptocurrency—underscoring how dual-use surveillance technology can proliferate beyond its original intent. ‘This is a textbook example of how offensive cyber tools move from defense contractors to adversarial governments,’ said a cybersecurity analyst familiar with the matter. ‘Once it’s out there, it’s nearly impossible to control.’

Who Is UNC6353? The Shadowy Group Behind the Attacks

While cybersecurity firms avoid definitively attributing cyberattacks to nation-states due to the difficulty of conclusive proof, multiple indicators strongly suggest that UNC6353 is a Russian state-aligned threat actor. Justin Albrecht, principal security researcher at Lookout, described the group as ‘a well-funded and connected threat actor conducting attacks for financial gain and espionage in alignment with Russian intelligence requirements.’ He further posited that UNC6353 may function as a ‘Russian criminal proxy,’ blending traditional espionage with financially driven cybercrime.

The group’s operational profile includes using compromised infrastructure, modular malware, and rapid exfiltration techniques—all hallmarks of sophisticated state-linked operations. Rocky Cole of iVerify told TechCrunch, ‘All signs point to the Russian government’ as the ultimate beneficiary of these attacks. He added that the development timeline and tooling suggest a high level of professionalism, possibly involving the same developers who built Coruna. ‘This isn’t some script kiddie operation,’ Cole said. ‘The code quality is exceptional. Someone with deep knowledge of iOS internals built this.’

How the Attacks Were Discovered: The Role of Google, Lookout, and iVerify

The Darksword campaign was uncovered through a collaborative effort between Google’s Threat Analysis Group, cybersecurity firm Lookout, and iPhone forensics specialist iVerify. Researchers identified a pattern of compromised websites—primarily Ukrainian domains—that redirected visitors to servers hosting the Darksword exploit. The malware was delivered via a zero-click vulnerability in iOS, meaning it could infect a device without the user clicking a link or opening an attachment.

‘These campaigns are becoming increasingly stealthy and harder to detect,’ said a Google TAG spokesperson. ‘What makes Darksword particularly concerning is its combination of speed, precision, and adaptability. It’s not just about stealing data—it’s about doing so with minimal exposure to the attackers.’ iVerify’s analysis revealed that the malware was designed to avoid leaving forensic traces, further complicating detection and attribution.

Why This Matters: The Broader Implications of Mobile Spyware in Modern Warfare

The emergence of Darksword—and its predecessor Coruna—signals a dangerous new phase in cyber espionage, where consumer-grade devices become primary targets for state-sponsored surveillance. Unlike traditional hacking campaigns that focus on computers or servers, mobile spyware can compromise an individual’s entire digital life in seconds. For Ukrainians living under Russian aggression, this adds another layer of vulnerability: their smartphones, which contain intimate personal and professional communications, are now potential instruments of espionage.

The proliferation of such tools also raises ethical and geopolitical concerns. While Western governments have historically developed and deployed offensive cyber capabilities, the dual-use nature of these technologies means they can—and do—fall into the hands of adversaries. The L3Harris case is a stark reminder: surveillance tools designed for law enforcement can be repurposed for authoritarian control or cybercrime. ‘Once a tool like this exists, it’s impossible to put the genie back in the bottle,’ said a former U.S. intelligence official who requested anonymity. ‘The genie is already out, and it’s being used against our allies.’

The Future of Mobile Espionage: Are Attacks on iPhones Becoming the New Normal?

Security experts warn that the Darksword campaign may be just the beginning. As iPhones become ubiquitous in daily life—from government communications to financial transactions—their value as intelligence targets will only grow. Lookout’s Albrecht noted that the modular design of Darksword means it can be easily updated or repurposed for new campaigns. ‘This toolkit is not static,’ he said. ‘It’s a platform. And platforms get reused.’

For Apple, the challenge is twofold: patching vulnerabilities faster than they’re exploited and educating users about the risks of mobile surveillance. While the company has invested heavily in security features like Lockdown Mode and iOS sandboxing, no system is impenetrable. The Darksword discovery underscores the need for continuous vigilance, especially in regions under active cyber conflict.

Protecting Yourself: How to Reduce Your Risk of Mobile Spyware

While the Darksword campaign specifically targeted Ukrainians, mobile spyware is a global threat. Cybersecurity experts recommend several steps to protect your device: enable automatic iOS updates to patch known vulnerabilities, avoid sideloading apps from untrusted sources, and be cautious when visiting unfamiliar websites—especially those in high-risk regions. Rocky Cole of iVerify also advises users to enable Lockdown Mode on iPhones, which restricts certain functionalities that malware often exploits.

‘The best defense is a layered one,’ Cole said. ‘No single tool will protect you, but combining software updates, cautious browsing, and Lockdown Mode can significantly reduce your risk.’ Users who suspect they’ve been targeted should conduct a full device reset or consult a cybersecurity professional for forensic analysis.

Frequently Asked Questions