New forensic findings reveal a stealthy iPhone exploit used against Ukrainians, showing rapid data theft and possible cryptocurrency targeting.
A group of hackers linked to the Russian government is suspected of targeting iPhone users in Ukraine using a new set of hacking tools that can steal personal data and likely cryptocurrency, cybersecurity experts say.
Google analysts, in collaboration with iVerify and Lookout, studied new cyberattacks against Ukrainians carried out by a group known as UNC6353. The report examines compromised websites in a campaign related to an event previously uncovered this month. The latest campaign used a hacking toolkit named Darksword.
The discovery of Darksword after similar tools suggests that modern, covert, and powerful iPhone spying is not as rare as previously believed. Even according to Darksword’s data, it is focused primarily on Ukrainian users, indicating certain geographic limitations of the attack.
In March, Google revealed details of a complex iPhone hacking kit named Coruna. According to the company, the tool was first used by a government client of a surveillance vendor, then by Russian spies targeting Ukrainians, and later by Chinese cybercriminals seeking to steal cryptocurrency. As TechCrunch reported, the hacking kit was initially developed by the American defense company L3Harris, specifically its Trenchant division.
Coruna was initially created for use by Western government structures, including those in the so-called Five Eyes alliance – Australia, Canada, New Zealand, the United States, and the United Kingdom, according to former L3Harris employees who knew about iPhone hacking tools.
Subsequently, researchers documented a related campaign that uses more modern tools and exploits other vulnerabilities.
The Darksword toolkit, as researchers note, is designed to steal personal information – passwords; photographs; messages in WhatsApp, Telegram, and SMS; as well as browser history. Interestingly, Darksword was not developed for long-term surveillance, but rather for infecting victims, stealing data, and quick disappearance.
Time on the device is likely to be in the range of a few minutes, depending on the amount of data it detects and exfiltrates.
UNC6353 – a well-funded and well-established threat actor conducting attacks for financial gain and intelligence in accordance with the requirements of Russian intelligence.
We believe that it can be shown that UNC6363 potentially serves as a Russian criminal proxy, given its dual goals of financial theft and gathering intelligence data.
According to experts, the attackers developed the software so that it could be easily adapted to new features, indicating a high level of professionalism. It is also noted that the same group was likely involved in Coruna, deploying their tools against Ukrainians.
The Role of Russia and Implications for Users
Experts emphasize the systemic nature of Russian cyber operations: rapid deployment of new tools, targeting regions, and collecting sensitive data for financial gain or intelligence. For iPhone users in Ukraine, this means heightened attention to security: updating devices, using secure messaging apps, enabling two-factor authentication, and being cautious about suspicious links and apps. It is important to stay involved in cybersecurity, follow basic digital hygiene practices, and regularly update software.
