Google researchers have identified a new iOS exploit chain called DarkSword that targets iPhones running iOS versions 18.4 through 18.7. The exploit deploys Ghostblade malware designed to steal data from major cryptocurrency exchange and wallet apps. Campaigns using the exploit have been observed in Saudi Arabia, Turkey, Malaysia, and Ukraine, with some attacks compromising government websites to deliver the malware to users.
Google researchers have identified an iOS exploit chain called DarkSword being used in the wild. This exploit leverages six vulnerabilities to deploy malware on devices running iOS versions 18.4 through 18.7, according to the research.
Once a user visits a malicious website with a vulnerable device, the exploit deploys malware including a JavaScript-based data stealer called Ghostblade. This malware actively seeks out major crypto exchange apps such as Coinbase, Binance, Kraken, Kucoin, OKX, and MEXC.
Ghostblade also hunts for popular crypto wallet applications including Ledger, Trezor, MetaMask, Exodus, Uniswap, Phantom, and Gnosis Safe. It simultaneously exfiltrates SMS and iMessage messages, call history, contacts, Wi-Fi passwords, Safari cookies and browsing history, and saved passwords.
Multiple actors are deploying the exploit, ranging from commercial spyware vendors to state-backed groups. Campaigns have been observed in Saudi Arabia using a fake Snapchat lookalike, and in Ukraine through compromised websites including a government site.
Ghostblade is designed for quick data theft rather than long-term surveillance. It collects all available data, then deletes its temporary files and terminates itself.
This is the latest in a wave of malware targeting crypto users. It follows incidents like the Inferno Drainer malware that stole some $9 million from crypto users over a six-month period last year.
