Researchers have discovered a second instance of suspected Russian hackers using iOS exploits, pointing to what they say are several foreboding trends.

iVerify, Lookout and Google collaborated on the research published Wednesday, a follow-up to earlier revelations about a similar exploit kit, Coruna. While the second kit — dubbed DarkSword — also targeted users in Ukraine, the scale is significant: iVerify estimated up to 270 million iPhone users could be susceptible, while Lookout told CyberScoop roughly 15% of all iOS devices currently in use are running iOS 18 or earlier versions and could be vulnerable to the exploit kit.

The research reveals a range of new details, as well as interesting patterns:

• Whereas Russian and Chinese hackers used Coruna with financial gain in mind, there are signs DarkSword could serve both financial and surveillance purposes, and/or could be used to inflict harm.
• Lookout observed that someone used a large language model to customize both Coruna and DarkSword.
• The discovery of DarkSword reinforces earlier concerns about a secondary exploit market, Lookout and iVerify said.
• DarkSword is the second “mass” iOS campaign discovered this month, with the first known one to be Coruna.
• Both kits suggest cyberattacks are migrating toward mobile phones as they make up a bigger portion of internet traffic, Rocky Cole, iVerify’s co-founder and chief operating officer, told CyberScoop.
• Google also found that DarkSword was used against targets in Saudi Arabia, Turkey, and Malaysia

DarkSword can exfiltrate saved passwords, crypto wallets, text messages and more, researchers found. Attackers are leveraging the exploit kit by first compromising Apple’s WebKit and then using WebGPU as a pivot point for sandbox escapes, according to Justin Albrecht, Lookout’s global director for mobile threat intelligence.

What’s less clear is who, exactly, is behind the exploit kit, other than the links to Russia. Cole said DarkSword is hosted on the same command and control infrastructure as Coruna, but is an entirely separate kit made by entirely separate people. Google has attributed the campaigns to a group it tracks as UNC6353, which it describes as a Russian-backed espionage group, as well as UNC6748 and Turkish commercial surveillance vendor PARS Defense. 

The attackers’ motives are also a bit opaque, mixing what appears to be both espionage and financial objectives. Albrecht noted there is precedent for this: Russian threat groups have targeted cryptocurrency in Ukraine before, notably with Infamous Chisel, an Android exploit kit deployed by Sandworm. 

“They’re probably well-funded, probably well-connected, but it’s confirmed that they’re stealing crypto. There is definitely a financial motivation,” Albrecht told CyberScoop. “Now, I think the big question is, depending on who the group is, is the financial motivation in this just to do damage to Ukrainians, or is it to steal crypto?”

Russia has been under heavy sanctions for a long time and is starting to have budget problems due to the ongoing war in Ukraine, he noted. “Why not start to fund their operations with stolen funds? It wouldn’t be outside the norm, although it would be a potential shift in their TTPs for Russian APTs in general,” Albrecht said. 

The kit could be handy for someone trying to do a “pattern of life” analysis, Cole said, and thus useful for surveillance and intelligence purposes.

He said a commercial spyware vendor might have made the kit with no target audience in mind, thus the “Swiss Army knife”-like quality of it. The major concern for Cole is that there’s apparently a growing market for these kinds of tools, and people may be lulled into a false sense of security about iPhones not being vulnerable.

Despite the sophistication of the exploits themselves, the threat actors behind DarkSword may not be particularly experienced, Albrecht said. None of the JavaScript or HTML code was obfuscated in any way, and the server-side component was labeled “Dark sword file receiver” — poor operational security for a seasoned Russian threat actor.

“Your experienced Russian threat actors, your APT29’s of the world, I would expect them to have better OPSEC,” Albrecht said.

One of the more unusual findings in the research is the clear presence of large language model-generated code. The server-side component of DarkSword, for instance, includes telltale signs of AI-generated code, complete with detailed notes and comments characteristic of LLM output.  It’s a development that effectively lowers the barrier to entry for deploying advanced mobile exploits, even among state-sponsored actors, Albrecht said.

All three research teams have been in contact with Apple about the findings, according to Albrecht, with Google likely in closest contact since they began investigating the threat in late 2025. In its blog, Google said it reported the vulnerabilities used in DarkSword to Apple in late 2025, and all vulnerabilities were patched with the release of iOS 26.3, although most were patched prior.

CLARIFICATION 3/18/26: Clarified the suspected origins of the DarkSword exploit kit and any links to tools developed for the U.S. government.

The post Second iOS exploit kit now in use by suspected Russian hackers appeared first on CyberScoop.

A North Korea-backed threat group operating since 2009 has splintered into three distinct groups with specialized malware and objectives, CrowdStrike said in a report released Thursday.

Labeled “Labyrinth Chollima” by the company, the group follows a divergence pattern CrowdStrike observed previously. Labyrinth Chollima has spawned two additional groups: Golden Chollima and Pressure Chollima. The spin-offs, which have been operating since 2020, allow Labyrinth Chollima to narrow its focus on espionage, targeting victims in the manufacturing, logistics, defense and aerospace industries. 

Golden Chollima and Pressure Chollima are squarely focused on stealing cryptocurrency, which funnels money back to the regime, with some of the proceeds funding North Korea’s cyber operations. Pressure Chollima, which was responsible for last year’s record-breaking $1.46 billion cryptocurrency theft, targets high-payout opportunities and has evolved into one of North Korea’s most technically advanced threat groups, according to CrowdStrike.

The groups, which share lineage with the more broadly defined Lazarus Group, share some tools and infrastructure, which indicates centralized coordination, but they’ve also developed more specialized capabilities for their specific objectives, researchers said.

As North Korea’s threat groups continue to branch out, the rogue nation is developing more capabilities and expanding its reach and impact, Adam Meyers, head of counter adversary operations at CrowdStrike, told CyberScoop.

“What we’re seeing down range is now aligned with what we’ve seen from a bureaucratic perspective up range,” Meyers said. 

“Over time, as their mission was successful, the bureaucracy grew and the scope of the mission grew, and obviously the organization grew,” he added. “They’ve been operating a resistance economy for many, many years and cyber gives them the ability to do this deniably and at a distance.” 

CrowdStrike currently tracks eight distinct North Korea-backed threat groups, with the addition of Golden Chollima and Pressure Chollima. The cybersecurity firm expects the groups focused on cryptocurrency theft to scale their operations as international sanctions impair North Korea’s economy.

Labyrinth Chollima has more recently targeted European aerospace companies, defense manufacturers, logistics and shipping companies, and U.S.-based critical infrastructure providers, including those involved in hydroelectric power. The threat group, which other firms track as Diamond Sleet and Operation Dream Job, has also developed a knack for employment-themed social engineering, researchers said.

“North Korea is probably one of the top-notch actors out there. A lot of people don’t give them credit for that,” Meyers said.

CrowdStrike’s research on Labyrinth Chollima’s spin-offs aims to help organizations defend against these distinct threats by also providing indicators of compromise and malware samples observed in various attacks.

“You need to know who the threats are to your specific industry and geolocation, because you can’t defend against all the threats all the time,” Meyers said. “You can’t boil the ocean.”

The post Long-running North Korea threat group splits into 3 distinct operations appeared first on CyberScoop.