A recently discovered iPhone hacking campaign linked to suspected Russian groups shows that advanced spyware is being used to steal personal data from Ukrainians, such as passwords, photos, messages, and browser history.
Researchers say the attackers used a new toolkit that infects devices quickly, collects information, and leaves before victims notice anything is wrong.
Researchers Trace New iPhone Attacks to Russian-Linked Activity
TechCrunch reported that researchers from Google, iVerify, and Lookout studied the attacks and connected them to a group called UNC6353. They said this group targeted iPhone users in Ukraine by using compromised websites.
The attackers used a toolkit named Darksword, which followed an earlier iPhone exploit called Coruna that was also used against Ukrainians.
Spyware Designed to Steal Messages, Photos, and Passwords
The new campaign is especially concerning because of the kind of information Darksword was made to steal.
TechCrunch said the toolkit was designed to take passwords; photos; WhatsApp, Telegram and text messages; and browser history, and it could also target cryptocurrency wallet apps.
Reuters described Darksword as spyware capable of penetrating hundreds of millions of Apple devices. Researchers estimate that about 220 million to 270 million iPhones could still be at risk because many people delay updating their software.
A Fast “Smash-and-Grab” Operation
Researchers said Darksword was not designed for long-term spying like traditional spyware. Instead, it worked more like a quick theft tool.
Lookout researchers who said the malware’s dwell time on the device is likely in the range of minutes, depending on how much data it collected.
Rocky Cole, co-founder of iVerify, called it a “smash-and-grab operation,” meaning the attackers wanted to quickly steal personal information rather than keep access for a long time.
Espionage and Financial Theft Appear to Overlap
The campaign seems to mix espionage with financial crime.
Darksword was built to steal cryptocurrency from popular wallet apps, which is unusual for a group suspected of having ties to a state.
Lookout said this may indicate either a financially motivated attacker or Russian state-aligned activity that now includes mobile financial theft.
Justin Albrecht, a principal security researcher at Lookout, told TechCrunch that UNC6353 is a well-funded and connected threat actor carrying out attacks for both financial gain and espionage in alignment with Russian intelligence requirements.
Darksword Follows Earlier iPhone Exploit Campaigns
The new toolkit comes after Coruna, another advanced iPhone exploit kit that Google had already linked to Russian attacks on Ukrainians.
Coruna was first used by a government client of a surveillance vendor, then by Russian spies against Ukrainians, and later by Chinese cybercriminals trying to steal cryptocurrency.
The discovery of Darksword, which uses different vulnerabilities but works in a similar way, suggests that powerful iPhone hacking tools are becoming more common.
Attack Appears Broader Than a Typical Spy Operation
Researchers also warned that this was not a targeted espionage operation focused on just a few high-profile people.
The malware was made to infect anyone visiting certain Ukrainian websites from inside Ukraine, so the campaign acted more like a broad watering-hole attack than a single, targeted hack.
This wider approach is more serious because it shows that advanced iPhone exploits can be used against regular people in conflict zones.
A Warning About the Growing Threat to Mobile Devices
The main takeaway is that mobile devices are now major targets in modern cyber conflicts, especially during wars where spying and financial theft can happen at the same time.
For Ukrainians, this campaign shows that a smartphone can be both a vital way to communicate and a valuable target for spying.
For the tech industry, it is another warning that advanced iPhone hacking tools are spreading to more people and possibly more conflicts than experts once thought.
