What happens when a single iOS exploit chain slips into the wild, only to be snapped up by everyone from commercial spyware peddlers to state-backed hackers?
Google Threat Intelligence Group’s latest report on DarkSword lays it bare: this beast of an exploit, chaining six zero-day vulnerabilities, has compromised iPhones running iOS 18.4 through 18.7. Since November 2025, it’s popped up in campaigns hitting targets in Saudi Arabia, Turkey, Malaysia, and Ukraine. And here’s the kicker—it’s not the work of one lone wolf. Multiple players, from suspected Russian espionage groups to unnamed surveillance vendors, have customized it for their dirty work.
How Did Google Spot DarkSword’s Spread?
Discovery started in late 2025, with GTIG piecing together toolmarks from recovered payloads. They traced it back to November, spotting distinct campaigns. Think of it as digital forensics meets epidemiology: same exploit DNA, different operators.
GTIG reported the vulns to Apple pronto—all patched by iOS 26.3 (most earlier). Domains got blacklisted in Safe Browsing. Smart move: enable Lockdown Mode if you’re stuck on an old version.
This isn’t isolated. DarkSword echoes the Coruna iOS kit from before, which UNC6353—a presumed Russian crew—once favored. Now they’ve swapped in DarkSword for watering hole attacks. Proliferation like this signals a marketplace for exploits, where code gets rented, tweaked, reused.
“GTIG has identified a new iOS full-chain exploit that use multiple zero-day vulnerabilities to fully compromise devices. Based on toolmarks in recovered payloads, we believe the exploit chain to be called DarkSword.”
That’s GTIG’s crisp opener—straight from their report, underscoring the chain’s sophistication.
UNC6748’s Snapchat Trap in Saudi Arabia
Early November 2025. A site mimicking Snapchat—snapshare[.]chat—lures Saudi users. JavaScript obfuscation hides the malice; it sets a session key to dodge repeat hits, spins up an iFrame for frame.html.
That pulls rce_loader.js, the real engine. It grabs remote code execution payloads via XMLHttpRequest. UNC6748 iterated fast: first, a duo targeting CVE-2025-31277 (JavaScriptCore memory smash) and CVE-2026-20700 (PAC bypass in dyld). Days later, they layered in CVE-2025-43529 for iOS 18.6 support.
But glitches abounded—logic flubs meant iOS 18.4 exploits misfired on non-18.6 devices, ignoring 18.7 entirely despite its September drop. Chrome victims? Forced into Safari via x-safari-https. Redirects to legit Snapchat masked the redirect. Anti-debug tricks hardened it against prying eyes.
Activity pulsed through November, with tweaks to evade detection. Classic cat-and-mouse.
The Final Payloads: GHOSTBLADE, GHOSTKNIFE, GHOSTSABER
DarkSword doesn’t stop at RCE. It unloads three malware families post-compromise.
GHOSTBLADE persists stealthily, exfiltrating data. GHOSTKNIFE amps up with keylogging, screen grabs. GHOSTSABER—the heavy—handles command-and-control, even lateral movement. Each tailored, yet sharing exploit roots.
GTIG, with Lookout and iVerify, dissected them. No code blocks in the original report to preserve, but the architecture screams modular design—easy for actors to bolt on their toys.
Why Does DarkSword’s Proliferation Matter for iPhone Security?
Short answer: it democratizes high-end attacks. Once, zero-click chains were nation-state exclusives—think Pegasus. Now? Commercial vendors peddle them, states borrow. DarkSword’s toolkit vibe (like Coruna) means faster evolution, wider nets.
Here’s the unique lens Threat Digest brings: this mirrors the Stuxnet pivot point in malware history. Back in 2010, Stuxnet leaked from its U.S.-Israeli origins, spawning Duqu, Flame—proliferating techniques to anyone with cash. DarkSword could do the same for mobile zero-days, flooding espionage markets. Bold prediction: by 2027, we’ll see DarkSword forks in non-state hands, hitting activists in unexpected spots. Apple’s patches help, but the genie’s out—expect rapid mutation.
Corporate spin? Vendors won’t admit tooling up on this; states deny outright. GTIG calls hype on the ‘commercial surveillance’ label—it’s a polite nod to mercenary firms like NSO, but the Russian UNC6353 overlap screams hybrid threats.
Who’s Next? Timeline and Patches
GTIG’s timeline (Figure 1 in their post) maps observations against Apple’s fixes. Most vulns died early; stragglers in 26.3. Other actors likely lurk—GTIG hints at unreported users.
Targets span autocracies and hotspots: Saudi (royals?), Turkey (dissidents?), Malaysia/Ukraine (geopolitics). Watering holes—compromised legit sites—amplify reach.
One punchy stat: six zero-days in chain. That’s WebKit RCE, kernel hops, sandbox escapes—architectural mastery exploiting iOS’s layered defenses.
Is DarkSword the New Coruna 2.0?
Dead ringer. Both multi-actor, iOS-focused kits. Coruna greased UNC6353’s wheels; DarkSword slots right in. Difference? DarkSword’s iOS 18.x breadth, six vulns vs. Coruna’s leaner set.
Why the shift? Patches killed Coruna; DarkSword’s fresh. But proliferation risks burnout—overuse invites reverse-engineering, as GTIG proves.
Architectural tell: modular loaders (rce_module.js, worker variants) let actors swap vulns without rewriting core. That’s the ‘how’—plug-and-play zero-days. The ‘why’? Speed to target, low dev cost in an arms race.
Update. Lockdown Mode. Repeat.
🧬 Related Insights
- Read more: 36 Fake npm Strapi Plugins Slip Redis and Postgres Backdoors into Dev Pipelines
- Read more: 14,000 F5 BIG-IP Doors Wide Open to RCE Nightmares
Frequently Asked Questions
What is DarkSword iOS exploit chain?
Google-identified full-chain using six zero-days to jailbreak iOS 18.4-18.7, deploying malware like GHOSTBLADE. Patched in iOS 26.3.
Which threat actors use DarkSword?
UNC6748 (Saudi targets), UNC6353 (Russian-linked), plus commercial vendors. Campaigns in Saudi Arabia, Turkey, Malaysia, Ukraine.
How to protect against DarkSword?
Update to latest iOS immediately. Enable Lockdown Mode. Avoid suspicious links, especially Snapchat lures.
