On March 18, 2026, Lookout, Google's Threat Intelligence Group (GTIG), and iVerify published coordinated research disclosing DarkSword, a full-chain iOS exploit kit targeting iPhones running iOS 18.4 through 18.7. Within 48 hours, every major cybersecurity outlet covered the story. They covered the six CVEs, the three zero-days, the exploit chain walkthrough, the 270 million affected devices, the threat actor attribution, and the Coruna connection. But buried inside nearly every article was a finding that none of them turned into its own piece: indicators of LLM-assisted code inside a mass-deployed iOS exploit kit. Seven separate outlets mentioned it. CyberScoop, BleepingComputer, Dark Reading, PBX Science, Lookout (the primary source), Infosectoday, and FoneArena all referenced some version of the finding. Not one published a standalone analysis. Every outlet treated it as a bullet point inside a broader DarkSword explainer. Notably, Help Net Security and The Hacker News covered DarkSword without mentioning the LLM angle at all. This is that standalone analysis. What follows is a precise, source-attributed breakdown of what Lookout actually found, what Google GTIG and iVerify did and did not say, how this compares to every prior documented case of LLM-assisted malware, and what it means for the mobile threat landscape. Every claim is sourced. Every qualifier is preserved. Where the evidence is circumstantial, we say so. Table of Contents ​ What DarkSword is (brief context) What Lookout found: the LLM indicators What GTIG and iVerify did not say The developer-operator split and language mismatch The obfuscation gradient across operators Prior art: LLM-assisted malware before DarkSword Why DarkSword is different from everything before it The secondary market thesis What this means FAQ What DarkSword is (brief context) ​ DarkSword is a JavaScript-based iOS exploit kit that chains six vulnerabilities (CVE-2025-31277, CVE-2025-43529, CVE-2026-20700, CVE-2025-14174, CVE-2025-43510, CVE-2025-43520) to achieve full device compromise. Three of these were zero-days when first exploited. The kit targets iPhones running iOS 18.4 through 18.7 and was first detected in November 2025 by Lookout researchers investigating the Coruna exploit kit's infrastructure. Google GTIG identified three distinct threat actor groups using DarkSword: UNC6353 (suspected Russian, targeting Ukraine via watering hole attacks), UNC6748 (targeting Saudi Arabia via a fake Snapchat website), and PARS Defense (a Turkish commercial surveillance vendor targeting Turkey and Malaysia). Each group deployed different payloads: GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER respectively. iVerify estimated that approximately 14.2% of active iPhones, around 221 million devices running iOS 18.4 through 18.6.2, remain vulnerable. When including all iOS 18 versions, that figure rises to roughly 270 million devices. The technical exploitation details, CVE walkthrough, and threat actor attribution have been covered exhaustively by Lookout , Google GTIG , iVerify , and others. This piece does not rehash that ground. It focuses on the finding that every outlet mentioned but none analyzed. What Lookout found: the LLM indicators ​ Of the three research teams involved in the coordinated disclosure, only Lookout identified LLM-assistance indicators . Their published report contains four specific passages referencing LLM or AI, each carefully qualified. The first addresses the DarkSword File Receiver, a server-side component hosted at sqwas.shapelie[.]com on ports 8881 and 8882. Lookout noted indicators suggesting this infrastructure component was created with LLM assistance, citing specific artifacts: a folder emoji in the heading and a checkmark symbol. The second and third passages appear together in the UNC6353 threat actor analysis section. Lookout stated that no attempts were made to obfuscate the exploit chain or implant code. They noted the presence of numerous comments and log messages in the JavaScript code. Their assessment: analysis of patterns suggests that LLMs were used in the creation of at least some of the implant code. Lookout then offered a direct interpretation and an alternative: it appears probable that UNC6353 lacks first-hand experience with mobile exploits and may have relied on AI support to add functionality to purchased tooling. Alternatively, this code may have been added prior to the threat actor's acquisition of the tooling. The fourth passage appears in Lookout's conclusion, where they note that groups purchasing exploit kits can customize them for their specific purposes, possibly with the help of AI. The specific indicators Lookout cites for LLM involvement are: a folder emoji in the File Receiver heading, a checkmark symbol in the same heading, numerous comments and log messages throughout the JavaScript code, and pattern analysis of the implant code itself. The qualifying language matters. Lookout uses "indicators" (not proof), "suggests"...