UNC6353

UNC6353 is a suspected Russian espionage threat actor, described in the content as Russian-backed and likely operating at least in part on behalf of the Russian government. The group has targeted Ukrainian users and organizations, primarily through watering hole attacks on compromised legitimate Ukrainian websites. Reported targets include commercial entities such as industrial equipment, retail, and local services organizations, as well as a news outlet in the Donbas region and official court pages. The content states that UNC6353 has used both the Coruna and DarkSword iOS exploit kits in campaigns against Ukrainian targets. UNC6353 previously used the Coruna exploit kit in Ukrainian watering hole campaigns. The content also states that between December 2025 and March 2026, UNC6353 incorporated the DarkSword exploit kit into new watering hole operations targeting Ukrainian users. DarkSword was delivered by injecting malicious script tags into compromised websites and loading attacker-controlled JavaScript, sometimes via hidden iframes. The exploit chain targeted iPhones running iOS 18.4 through 18.7 and was used to fully compromise devices. Post-exploitation malware attributed to UNC6353 includes GHOSTBLADE. The content describes GHOSTBLADE as a comprehensive data-mining payload capable of exfiltrating iMessages, Telegram and WhatsApp data, cryptocurrency wallet data, Safari history and cookies, Health databases, device keychains, location history, and saved Wi-Fi passwords. More broadly, DarkSword activity associated with UNC6353 is described as rapid, hit-and-run collection rather than long-term persistence, with data theft followed by cleanup of temporary files and traces of compromise. The reporting consistently distinguishes UNC6353 from TA446/SEABORGIUM/ColdRiver/Callisto/Star Blizzard, stating that TA446 activity does not overlap with UNC6353 and that they are distinct threat actors. No additional confirmed aliases or sub-groups for UNC6353 are provided in the content.