DarkSword iOS Exploit Chain: Questions and Answers on Its Proliferation and Impact

Since late 2025, a sophisticated iOS exploit chain known as DarkSword has been observed in the wild, targeting devices running iOS 18.4 through 18.7. This full-chain exploit leverages six zero-day vulnerabilities and has been adopted by multiple commercial surveillance vendors and state-sponsored actors. Below are key questions and detailed answers about DarkSword, its origins, targets, and defenses.

What is DarkSword and how does it compromise iOS devices?

DarkSword is a complete iOS exploit chain that attackers use to gain full control over a victim's iPhone or iPad. It works by chaining together six separate vulnerabilities to bypass iOS security layers. The exploit is delivered through various methods, including watering hole websites and spear-phishing links. Once executed, it deploys one of three final-stage malware families—GHOSTBLADE, GHOSTKNIFE, or GHOSTSABER—each designed for espionage and data theft. The attack is stealthy: the initial infection often happens via a malicious webpage that silently triggers the exploit chain without user interaction.

Which threat actors are using DarkSword?

Based on toolmarks found in recovered payloads, Google Threat Intelligence Group (GTIG) has linked DarkSword to at least three distinct threat clusters. UNC6748 targeted Saudi Arabian users via a Snapchat-themed phishing website. Another cluster, UNC6353—a suspected Russian espionage group previously associated with the Coruna iOS exploit kit—has incorporated DarkSword into its watering hole campaigns. Additional commercial surveillance vendors and state-sponsored actors have been observed using the exploit chain in operations across Turkey, Malaysia, and Ukraine. The proliferation mirrors the earlier spread of the Coruna kit, suggesting a shared supply chain or secondary market for exploit chains.

Which iOS versions and devices are affected?

DarkSword specifically supports iOS versions 18.4 through 18.7. All six vulnerabilities exploited by the chain were responsibly reported by GTIG to Apple and were patched in iOS 26.3 (with most fixes applied even earlier). Users running any iOS version before the patch are at risk if they visit a compromised website or open a malicious link. The exploit does not require jailbreaking and works silently on fully updated devices (until patched). Apple has since addressed these flaws, so updating to the latest iOS version is the most effective mitigation.

What are the key vulnerabilities used by DarkSword?

While the exact CVE identifiers have not been publicly disclosed in this report, the exploit chain leverages six distinct zero-day vulnerabilities that cover multiple iOS components: kernel memory corruption, WebKit rendering engine flaws, and privilege escalation paths. The vulnerabilities allow the attacker to break out of sandbox restrictions, gain kernel-level code execution, and ultimately deploy final payloads. GTIG provided Apple with technical details in late 2025, and Apple subsequently released patches. Because all six flaws are now fixed, updating iOS is the primary defense. For unpatched devices, enabling Lockdown Mode adds a significant barrier against such advanced exploits.

How were the DarkSword attacks discovered?

Google Threat Intelligence Group (GTIG) first identified DarkSword in November 2025 while monitoring threat actor activities. They observed a Snapchat-themed website (snapshare[.]chat) used by the UNC6748 cluster targeting Saudi Arabian users. The site deployed obfuscated JavaScript that created an iframe to fetch the next stage of the exploit. GTIG also collaborated with industry partners Lookout and iVerify to share intelligence. Additional attacks were later detected in Turkey, Malaysia, and Ukraine, with toolmarks confirming the same DarkSword package was used across disparate groups. The timeline shows that most vulnerabilities were patched within a few months of the first observed exploitation.

What malware families are deployed after a successful DarkSword attack?

Three distinct malware families have been linked to DarkSword infections: GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER. These payloads are custom-built for espionage and persistent access. GHOSTBLADE typically focuses on exfiltrating sensitive data like messages and passwords. GHOSTKNIFE includes stealth features to evade detection, such as rootkit capabilities. GHOSTSABER appears designed for long-term surveillance, including camera and microphone access. While each family has unique traits, they all share code similarities indicating a common developer or supply chain. The choice of which malware to deploy likely depends on the target and the threat actor's objectives.

How can users protect themselves from DarkSword and similar exploits?

The most effective protection is to update iOS to the latest version (currently iOS 26.3 or later), as all six vulnerabilities exploited by DarkSword have been patched. For devices that cannot be updated—such as older models—enabling Lockdown Mode (Settings > Privacy & Security > Lockdown Mode) significantly reduces the attack surface by blocking complex exploit techniques. Users should also avoid clicking suspicious links, especially those sent via social media or messaging apps. Google has added domains involved in DarkSword delivery to Safe Browsing, so using a compatible browser (e.g., Chrome) offers additional warnings. Regularly checking for iOS updates and practicing good cyber hygiene remain essential defenses.

Where can I find more information about DarkSword?

This Q&A is based on research published by Google Threat Intelligence Group in coordination with Lookout and iVerify. For deeper technical details, refer to the original GTIG blog post. You can also follow GTIG’s threat intelligence updates for ongoing monitoring. If you suspect compromise, consult a professional security team and review Apple’s security support pages. For related topic about another exploit kit, see our section on which threat actors are using DarkSword for context on the broader landscape.