A Russian threat actor — confirmed by Google GTIG as UNC6353 — deployed DarkSword, a zero-click iPhone exploit, on Ukrainian government websites. No phishing link. No app to download. Visiting a compromised page was enough. Your iPhone was owned.

The exploit chain uses six vulnerabilities, including three zero-days Apple did not know about until Google reported them. Devices that had not yet installed Apple's security fix remained exposed. Once infected, the GHOSTBLADE payload grabs emails, messages, photos, credentials, and cryptocurrency wallets — MetaMask, Coinbase, Binance, and Ledger.

"This malware is highly sophisticated and appears to be a professionally designed platform," Lookout researchers noted. This was not a ransomware gang running scripts. This was a state operation.

Researchers say the attackers "may not be highly sophisticated themselves." Limited efforts to conceal parts of the operation suggest they purchased exploits off the shelf and used AI to fill gaps. A secondary market for advanced exploits now exists — nation-state-level iPhone hacking, available to anyone with cryptocurrency and a dark web connection.

The campaign hit a Ukrainian regional news outlet covering the war and a Ukrainian court's website. Classic watering hole attack: compromise the site your targets visit, wait for them to come to you.

Google collaborated with CERT-UA to take down the malicious code. Apple released a fix after receiving reports from Google and Lookout.

If you are in Ukraine running an iPhone, update immediately. Think twice before visiting any government-adjacent websites for a while.

— KATYA VOLKOV, Moscow