According to Slow Mist security team, the DarkSword iOS attack framework has been publicly leaked on GitHub and other channels and is now being exploited in large-scale theft attacks targeting cryptocurrency wallet holders. The malware targets devices running iOS 18.4 to 18.7, exploiting Safari browser vulnerabilities through malicious webpages to achieve remote code execution.
Once users on older iOS versions click malicious links in Safari, attackers can steal sensitive data including private keys and seed phrases via malicious JavaScript code, which is then exfiltrated through Telegram bots. Attackers use spoofed adult streaming, Tron energy station, and refund process pages as lures.