Researchers have discovered a second instance of suspected Russian hackers using iOS exploits, pointing to what they say are several foreboding trends.

iVerify, Lookout and Google collaborated on the research published Wednesday, a follow-up to earlier revelations about a similar exploit kit, Coruna. While the second kit — dubbed DarkSword — also targeted users in Ukraine, the scale is significant: iVerify estimated up to 270 million iPhone users could be susceptible, while Lookout told CyberScoop roughly 15% of all iOS devices currently in use are running iOS 18 or earlier versions and could be vulnerable to the exploit kit.

The research reveals a range of new details, as well as interesting patterns:

• Whereas Russian and Chinese hackers used Coruna with financial gain in mind, there are signs DarkSword could serve both financial and surveillance purposes, and/or could be used to inflict harm.
• Lookout observed that someone used a large language model to customize both Coruna and DarkSword.
• The discovery of DarkSword reinforces earlier concerns about a secondary exploit market, Lookout and iVerify said.
• DarkSword is the second “mass” iOS campaign discovered this month, with the first known one to be Coruna.
• Both kits suggest cyberattacks are migrating toward mobile phones as they make up a bigger portion of internet traffic, Rocky Cole, iVerify’s co-founder and chief operating officer, told CyberScoop.
• Google also found that DarkSword was used against targets in Saudi Arabia, Turkey, and Malaysia

DarkSword can exfiltrate saved passwords, crypto wallets, text messages and more, researchers found. Attackers are leveraging the exploit kit by first compromising Apple’s WebKit and then using WebGPU as a pivot point for sandbox escapes, according to Justin Albrecht, Lookout’s global director for mobile threat intelligence.

What’s less clear is who, exactly, is behind the exploit kit, other than the links to Russia. Cole said DarkSword is hosted on the same command and control infrastructure as Coruna, but is an entirely separate kit made by entirely separate people. Google has attributed the campaigns to a group it tracks as UNC6353, which it describes as a Russian-backed espionage group, as well as UNC6748 and Turkish commercial surveillance vendor PARS Defense. 

The attackers’ motives are also a bit opaque, mixing what appears to be both espionage and financial objectives. Albrecht noted there is precedent for this: Russian threat groups have targeted cryptocurrency in Ukraine before, notably with Infamous Chisel, an Android exploit kit deployed by Sandworm. 

“They’re probably well-funded, probably well-connected, but it’s confirmed that they’re stealing crypto. There is definitely a financial motivation,” Albrecht told CyberScoop. “Now, I think the big question is, depending on who the group is, is the financial motivation in this just to do damage to Ukrainians, or is it to steal crypto?”

Russia has been under heavy sanctions for a long time and is starting to have budget problems due to the ongoing war in Ukraine, he noted. “Why not start to fund their operations with stolen funds? It wouldn’t be outside the norm, although it would be a potential shift in their TTPs for Russian APTs in general,” Albrecht said. 

The kit could be handy for someone trying to do a “pattern of life” analysis, Cole said, and thus useful for surveillance and intelligence purposes.

He said a commercial spyware vendor might have made the kit with no target audience in mind, thus the “Swiss Army knife”-like quality of it. The major concern for Cole is that there’s apparently a growing market for these kinds of tools, and people may be lulled into a false sense of security about iPhones not being vulnerable.

Despite the sophistication of the exploits themselves, the threat actors behind DarkSword may not be particularly experienced, Albrecht said. None of the JavaScript or HTML code was obfuscated in any way, and the server-side component was labeled “Dark sword file receiver” — poor operational security for a seasoned Russian threat actor.

“Your experienced Russian threat actors, your APT29’s of the world, I would expect them to have better OPSEC,” Albrecht said.

One of the more unusual findings in the research is the clear presence of large language model-generated code. The server-side component of DarkSword, for instance, includes telltale signs of AI-generated code, complete with detailed notes and comments characteristic of LLM output.  It’s a development that effectively lowers the barrier to entry for deploying advanced mobile exploits, even among state-sponsored actors, Albrecht said.

All three research teams have been in contact with Apple about the findings, according to Albrecht, with Google likely in closest contact since they began investigating the threat in late 2025. In its blog, Google said it reported the vulnerabilities used in DarkSword to Apple in late 2025, and all vulnerabilities were patched with the release of iOS 26.3, although most were patched prior.

CLARIFICATION 3/18/26: Clarified the suspected origins of the DarkSword exploit kit and any links to tools developed for the U.S. government.

The post Second iOS exploit kit now in use by suspected Russian hackers appeared first on CyberScoop.

Attackers associated with Russia’s Main Intelligence Directorate (GRU) have targeted Western-based critical infrastructure with a special focus on the energy sector as part of an ongoing campaign dating back to 2021, Amazon Threat Intelligence said in a report Monday. 

The threat group simplified operations earlier this year by shifting away from vulnerability exploitation to focus on misconfigured network edge devices hosted on Amazon Web Services as the primary initial access vector, CJ Moses, chief information security officer of Amazon Integrated Security, said in a blog post. 

Researchers said malicious infrastructure used by the attackers overlaps with operations linked to Sandworm, also known as APT44 and Seashell Blizzard, a detail that gives them confidence the activity is associated with Russia’s GRU. 

Amazon did not say how many attacks it’s attributed to the campaign, nor how the pace of activity has changed since the first wave of attacks occurred in 2021. The company said it has notified customers affected by the intrusions, remediated compromised EC2 instances and shared intelligence with partners and affected vendors to aid further investigations.

The Russia state-sponsored threat group has continued to target multiple Western-based organizations in the energy sector including electric utilities, energy providers and managed security service providers specializing in the industry, according to Amazon. 

Researchers said the threat group has also targeted collaboration platforms, source code repositories, organizations with cloud-based network infrastructure, critical infrastructure providers in North America and Europe, and telecom providers across multiple regions. 

Attacks typically begin with a compromised customer network edge device hosted on AWS, followed by attempts to capture data traversing the network in a bid to steal credentials and reuse those credentials against victim organizations’ other services and infrastructure to maintain access, according to Amazon.

Moses insists the compromise of network edge devices hosted on AWS is not due to a weakness in its  infrastructure, but rather improper device setup from customers. Attackers associated with Russia’s GRU have targeted enterprise routers and routing infrastructure, virtual private networks for large organizations, remote-access gateways and network-management appliances. 

The campaign initially relied on vulnerability exploitation from 2021 to 2024, including CVE-2022-26318 affecting WatchGuard, CVE-2021-26084 and CVE-2023-22518 affecting Confluence and CVE-2023-27532 affecting Veeam, researchers said.

Yet, targeting shifted to misconfigured network edge devices this year, which allowed attackers to achieve the same strategic goals at a lower cost. 

“While customer misconfiguration targeting has been ongoing since at least 2022, the actor maintained sustained focus on this activity in 2025 while reducing investment in zero-day and N-day exploitation,” Moses said in the blog post. “The actor accomplishes this while significantly reducing the risk of exposing their operations through more detectable vulnerability exploitation activity.”

Sandworm is one of the most notorious state-sponsored threat groups of the past decade. The group primarily targets government, defense, transportation, energy, media and civil society organizations in Russia’s near abroad. It has repeatedly targeted Western electoral systems and institutions, including in NATO member countries. On three separate occasions, the group has succeeded in using a cyberattack to disrupt electricity distribution in Ukraine.

The post Amazon warns that Russia’s Sandworm has shifted its tactics appeared first on CyberScoop.