On March 20, according to monitoring by Google Threat Intelligence Group, an iOS exploit chain called DarkSword is targeting iPhones running iOS versions 18.4 to 18.7. Attackers are using compromised websites to deploy malware called Ghostblade, which specifically searches for and steals data from cryptocurrency exchanges (including Coinbase, Binance, Kraken, Kucoin, OKX, and MEXC) and wallet applications (including Ledger, Trezor, MetaMask, Exodus, Uniswap, Phantom, and Gnosis Safe).
In addition, Ghostblade also steals sensitive information such as SMS messages, iMessages, contacts, Wi-Fi passwords, geolocation data, and chat logs from Telegram and WhatsApp. This malware is designed for rapid data theft, automatically deleting temporary files and terminating its operation after collection is complete. Related attacks have been observed in Saudi Arabia, Turkey, Malaysia, and Ukraine.
