DarkSword Malware Strikes iOS: Crypto Wallets Under Attack

Key Takeaways

• DarkSword compromises iOS versions 18.4 through 18.7, exfiltrating cryptocurrency assets and sensitive information.
• Ghostblade spyware focuses on popular exchanges like Coinbase, Binance, Kraken, and wallets such as Ledger and MetaMask.
• Infection occurs through malicious websites requiring zero user interaction to compromise devices.
• Malware payloads automatically erase themselves after successfully extracting victim data.
• iOS 26.3 update addresses vulnerabilities; Lockdown Mode provides additional defense against DarkSword.

Cybersecurity researchers have uncovered DarkSword, a sophisticated exploit chain compromising Apple devices running iOS versions 18.4 to 18.7. This attack framework utilizes six previously unknown zero-day security flaws to deploy surveillance malware on targeted iPhones. Active campaigns have been detected across Saudi Arabia, Ukraine, Malaysia, and Turkey, indicating widespread deployment.

The DarkSword framework installs data-stealing malware capable of harvesting authentication credentials, communication records, and geolocation data. Cryptocurrency applications and digital wallets represent primary targets for this malicious campaign. Victims become infected simply by visiting weaponized web pages, requiring no clicks or downloads.

Security analysts have documented three distinct malware variants delivered via DarkSword: Ghostblade, Ghostknife, and Ghostsaber. These payloads rapidly extract targeted information before automatically removing themselves from infected systems. Evidence suggests both commercial surveillance companies and government-sponsored hacking groups are utilizing DarkSword in their operations.

Ghostblade Malware Hunts Cryptocurrency Applications

The Ghostblade payload distributed through DarkSword systematically scans compromised iOS devices for cryptocurrency exchange apps. Its target list encompasses leading trading platforms: Coinbase, Binance, Kraken, Kucoin, OKX, and MEXC. Additionally, it searches for prominent wallet software including Ledger, Trezor, MetaMask, Exodus, Uniswap, Phantom, and Gnosis Safe.

Beyond digital currency theft, Ghostblade harvests text messages, iMessages, phone logs, and contact lists from infected devices. The spyware extracts Wi-Fi passwords, Safari browser cookies, web history, and GPS coordinates. It further accesses Apple Health records, photo libraries, and conversations from messaging platforms like Telegram and WhatsApp.

Ghostblade executes a hit-and-run strategy, removing temporary artifacts and self-destructing after completing data exfiltration. This rapid execution minimizes forensic evidence left on compromised devices. The deployment of Ghostblade through DarkSword demonstrates escalating threats facing cryptocurrency holders.

Worldwide Campaign Distribution and Technical Operation

DarkSword deployment has been documented through weaponized websites and hijacked government web portals. Saudi Arabian victims were lured through a counterfeit Snapchat-themed page hosting the DarkSword exploit. The attack framework generates hidden iframes and retrieves remote code execution modules to inject malware payloads.

Various remote code execution exploits within DarkSword target distinct iOS versions, exploiting memory handling flaws and pointer authentication bypass weaknesses. The loader mechanism occasionally struggles with device version identification, suggesting accelerated development timelines. Nevertheless, DarkSword successfully delivers terminal payloads including Ghostknife and Ghostsaber across affected devices.

Security teams disclosed these vulnerabilities to Apple during late 2025, with remediation patches released in iOS 26.3. Domains associated with DarkSword distribution have been incorporated into browser Safe Browsing databases. iPhone owners should immediately install iOS updates or activate Lockdown Mode to defend against DarkSword exploitation.

DarkSword represents a critical security challenge for iOS cryptocurrency users worldwide. The exploit’s swift proliferation among diverse threat actors demonstrates heightened risks to digital financial holdings. Its comprehensive targeting of exchanges, wallets, and personal information emphasizes the urgency of applying available security patches.

The post DarkSword Malware Strikes iOS: Crypto Wallets Under Attack appeared first on Blockonomi.