Campaigns
DarkSword iOS Exploit Kit

DarkSword iOS Exploit Kit

iOSExploit KitZero-DayDarkSwordUNC6353
DarkSword is a sophisticated iOS exploit kit that leverages six vulnerabilities, including three zero-days, to achieve full device takeover. It targets iOS versions 18.4 to 18.7 and has been used by various threat actors, including state-sponsored groups, to exfiltrate sensitive data rapidly.

Indicators of Compromise

e5.malaymoil.com
sahibndn.io
static.cdncounter.net
sqwas.shapelie.com
snapshare.chat

APT Groups1

UNC6353RU

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

DETECTIONS

DET0080 - Exploit Public-Facing Application

Data Component

Name

Channel

Application Log Content (DC0038)

ApplicationLog:IIS

IIS W3C logs (5xx spikes, RCE/SQLi patterns)

Process Creation (DC0032)

WinEventLog:Sysmon

EventCode=1

Module Load (DC0016)

WinEventLog:Sysmon

EventCode=7

Network Connection Creation (DC0082)

WinEventLog:Sysmon

EventCode=3, 22


DET0090 - Cross-host C2 via Removable Media Relay

Data Component

Name

Channel

Drive Creation (DC0042)

WinEventLog:System

EventCode=1006

File Creation (DC0039)

WinEventLog:Sysmon

EventCode=11

Process Creation (DC0032)

WinEventLog:Sysmon

EventCode=1


DET0100 - Behavioral Detection of APC Injection

Data Component

Name

Channel

Process Access (DC0035)

WinEventLog:Sysmon

EventCode=10

Process Modification (DC0020)

WinEventLog:Sysmon

EventCode=8

OS API Execution (DC0021)

etw:Microsoft-Windows-Kernel-Process

APCQueueOperations

Process Creation (DC0032)

WinEventLog:Sysmon

EventCode=1


Observed Countries4

MY (490)
SA (102)
TR (387)
UA (958)