DarkSword: The iOS Zero-Day Exploit Chain Now Widely Used by Multiple Threat Groups
A sophisticated piece of malware, likely designed by a government entity, has been targeting iOS devices through a full-chain exploit. Dubbed DarkSword, this threat was uncovered by the Google Threat Intelligence Group (GTIG), which traced its origins to multiple zero-day vulnerabilities. Since at least November 2025, commercial surveillance vendors and suspected state-sponsored actors have been deploying DarkSword in distinct campaigns across several countries.
Discovery and Attribution
GTIG identified DarkSword after analyzing recovered payloads from compromised devices. The exploit chain leverages six different vulnerabilities to gain full control over iPhones running iOS versions 18.4 through 18.7. Based on toolmarks found in the malware, researchers believe DarkSword was engineered by a government-backed entity, although the exact origin remains unconfirmed.
Vulnerabilities and Affected iOS Versions
DarkSword exploits a series of zero-day flaws that allow it to bypass iOS security measures. The full-chain attack uses these vulnerabilities in sequence to execute final-stage payloads without user interaction. GTIG has confirmed that the exploit works on iOS 18.4 to 18.7, making a substantial number of devices vulnerable before patches were released.
Malware Families Deployed
Following a successful DarkSword compromise, GTIG observed three distinct malware families being deployed:
- GHOSTBLADE – A stealthy backdoor that establishes persistent remote access.
- GHOSTKNIFE – A data exfiltration tool designed to steal sensitive information.
- GHOSTSABER – A modular implant capable of executing additional commands.
These payloads are tailored to the attacker’s objectives, ranging from espionage to surveillance.
Threat Actors and Campaigns
DarkSword has been deployed in multiple targeted campaigns, with victims identified in Saudi Arabia, Turkey, Malaysia, and Ukraine. The threat actors behind these operations include commercial surveillance vendors and state-sponsored groups. Notably, UNC6353—a suspected Russian espionage group previously linked to the Coruna iOS exploit kit—has now incorporated DarkSword into their watering hole attacks. This pattern of a single exploit chain being used by disparate groups mirrors the earlier spread of Coruna.
Leak and Current Risk
Approximately one week after GTIG’s initial discovery, a version of the DarkSword exploit chain leaked publicly on the internet. This has enabled a broader range of malicious actors to access the tool, increasing the overall threat landscape. However, the information in this article is based on reports that are now a month old. Apple has since released security updates that address the vulnerabilities exploited by DarkSword. As long as users keep their iOS devices updated with the latest patches, the risk of infection is significantly reduced.
Staying Safe
To protect against DarkSword and similar threats, always install the latest iOS updates promptly. Avoid clicking on suspicious links or downloading untrusted apps. For organizations, implementing robust mobile device management and monitoring for unusual network activity can help detect potential compromises.
Related Articles
- Modernizing Kubernetes Secret Lifecycle with Vault Secrets Operator
- 10 Key Facts About the Silk Typhoon Hacker Extradited Over COVID Research Attacks
- Rise in Cyber-Enabled Cargo Theft: FBI Warns of Hacker Tactics Targeting Brokers and Carriers
- Ubuntu 16.04 LTS Reaches End of Life: Upgrade Paths and Security Implications
- The Hacker News Introduces Cybersecurity Stars Awards 2026: Honoring Unsung Heroes in Cyber Defense
- Understanding the Canonical Cyberattack: What Went Down and What It Means for Ubuntu Users
- Active Exploitation of Linux 'Copy Fail' Vulnerability Confirmed; CISA Issues Urgent Warning
- 7 Key Facts About the Scattered Spider Hacker Who Just Pleaded Guilty