DarkSword Exploit Hits iOS Devices Targeting Crypto Users

TLDR

• DarkSword hits iOS 18.4–18.7, stealing crypto wallets and personal data.

• Ghostblade malware targets Coinbase, Binance, Ledger, MetaMask, and more.

• Exploit triggers via fake sites; no user action needed to infect devices.

• Final-stage malware self-deletes after stealing sensitive data quickly.

• Update to iOS 26.3 or enable Lockdown Mode to block DarkSword attacks.

A new iOS exploit chain called DarkSword is actively targeting devices running iOS 18.4 through 18.7. The exploit leverages six zero-day vulnerabilities to install malware on compromised devices. Multiple actors are deploying DarkSword against users in Saudi Arabia, Ukraine, Malaysia and Turkey.

DarkSword delivers malware designed to steal sensitive data, including login credentials, call history and location information. It specifically targets cryptocurrency apps and wallets on infected devices. Users visiting compromised websites can unknowingly trigger the exploit without any interaction.

Cybersecurity researchers have identified several final-stage malware families deployed through DarkSword. These include Ghostblade, Ghostknife, and Ghostsaber, which extract data quickly and self-delete afterward. The campaigns show DarkSword’s adoption by both commercial spyware vendors and state-backed threat actors.

Ghostblade Targets Crypto Exchanges and Wallets

Ghostblade, deployed by DarkSword, actively searches for cryptocurrency exchange applications on iOS devices. It targets major platforms such as Coinbase, Binance, Kraken, Kucoin, OKX, and MEXC. The malware also hunts popular wallets including Ledger, Trezor, MetaMask, Exodus, Uniswap, Phantom, and Gnosis Safe.

In addition to crypto assets, Ghostblade collects SMS, iMessage, call history, and contacts from the device. It also exfiltrates Wi-Fi credentials, Safari cookies, browsing history, and location information. The malware accesses health data, photos, and messaging history from Telegram and WhatsApp.

Ghostblade operates for short-term data theft, deleting temporary files and terminating itself after extraction. This quick-action design ensures minimal traces remain on the infected device. DarkSword’s ability to deliver Ghostblade highlights the increasing targeting of crypto users.

Global Deployment and Exploit Mechanics

DarkSword has been observed in targeted campaigns using fake websites and compromised government portals. In Saudi Arabia, a Snapchat-themed site was used to infect devices through DarkSword. The exploit chain creates iframes and fetches remote code execution modules to deliver the malware.

Different RCE exploits in DarkSword target specific iOS versions, including memory corruption and PAC bypass vulnerabilities. The loader logic sometimes fails to differentiate device versions, reflecting the tool’s rapid deployment. Despite this, DarkSword consistently installs final-stage payloads like Ghostknife and Ghostsaber.

Researchers reported the vulnerabilities to Apple in late 2025, and patches were included in iOS 26.3. Domains linked to DarkSword delivery are now added to Safe Browsing lists. Users are urged to update iOS devices or enable Lockdown Mode for added protection against DarkSword campaigns.

DarkSword has emerged as a significant threat to cryptocurrency users on iOS devices. The exploit’s rapid adoption by multiple actors signals a growing risk to digital assets. Its targeting of exchanges, wallets, and personal data underscores the need for immediate device updates.

The post DarkSword Exploit Hits iOS Devices Targeting Crypto Users appeared first on CoinCentral.