TL;DR: A new iOS exploit chain called DarkSword is being used in infostealer attacks that begin with a simple Safari visit, compromise devices, and focus on crypto wallets and exchange accounts, according to Swarmnetics. The pattern shows how browser-delivered malware can turn mobile endpoint trust into credential theft and account takeover risk.
NHIMG editorial — based on content published by Swarmnetics: iOS exploit chain used by hackers in infostealer attacks since November 2025
Questions worth separating out
Q: What breaks when a mobile device is compromised through a browser exploit?
A: A browser exploit can turn a trusted phone into a credential and session theft point.
Q: Why do iOS infostealers matter for IAM teams?
A: They matter because mobile compromise often becomes account compromise.
Q: How do security teams know whether mobile access is actually safe?
A: Look for evidence that access is bound to device health, token freshness, and step-up checks for high-risk actions.
Practitioner guidance
- Tighten mobile exploit exposure management Prioritise iOS devices on vulnerable versions for immediate remediation, starting with users who access wallets, financial systems, or privileged enterprise applications.
- Reduce the value of stolen mobile sessions Shorten session lifetimes, bind high-risk sessions to stronger reauthentication, and revoke tokens quickly when a device shows compromise indicators.
- Harden browser-delivered access paths Monitor Safari and other mobile browser traffic for exploit indicators, suspicious redirects, and compromise patterns on devices that access sensitive services.
What's in the full analysis
Swarmnetics' full analysis covers the operational detail this post intentionally leaves for the source:
- Version-by-version iOS targeting details for DarkSword and the specific affected release range.
- The infection path and exploit-chain indicators that help defenders distinguish normal browsing from compromise.
- How the malware behaves after compromise, including what it extracts and how it removes itself.
- The article's threat context for Ukraine-focused activity and how that may shape targeting patterns.
👉 Read Swarmnetics' analysis of the DarkSword iOS exploit chain and infostealer activity →
DarkSword iOS exploit chain: what mobile teams need to know?
Explore further
Mobile exploit chains are now an identity problem as much as an endpoint problem. Once a browser visit can yield device compromise, the security boundary shifts from the phone itself to the accounts and sessions stored on it. That matters for IAM and PAM teams because mobile devices increasingly hold the very artefacts that make account takeover possible. Practitioners should treat mobile compromise as a pathway into access governance, not only as a handset hygiene issue.
A few things that frame the scale:
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases, according to LLMjacking: How Attackers Hijack AI Using Compromised NHIs.
- Also from our research: 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
A question worth separating out:
Q: Who is accountable when mobile exploit activity leads to account theft?
A: Accountability usually spans endpoint security, IAM, and the business owner of the compromised access path. NIST CSF and ISO 27001 both expect clear ownership of access control and incident response. Teams should define who can revoke sessions, isolate devices, and approve emergency access changes before an incident occurs.
👉 Read our full editorial: iOS exploit chains are turning Safari visits into wallet theft