DarkSword: iPhone Exploit Kit Serves Spies & Thieves Alike

Steven

DarkSword: iPhone Exploit Kit Serves Spies & Thieves Alike

Summary

Researchers from Google, iVerify and Lookout have disclosed “DarkSword”, a full-chain iOS exploit kit used since at least November 2025 against users in Saudi Arabia, Turkey, Malaysia and Ukraine. The chain exploits multiple zero-days and n-days across components such as JavaScriptCore, ANGLE, dyld and the iOS kernel (examples include CVE-2025-31277, CVE-2025-43529, CVE-2025-14174, CVE-2025-43510, CVE-2025-43520 and CVE-2026-20700).

Attacks are executed via malicious websites (watering holes) where a single click can trigger remote code execution, sandbox escape and privilege escalation to deliver implants. The toolkit is modular — GTIG links three malware families (Ghostblade, Ghostknife, Ghostsaber) — and has been observed in both state-aligned espionage campaigns and financially motivated operations that target crypto wallets. Patching is available (update to iOS 18.7.6 or iOS 26.3.1), but many users remain vulnerable.

Key Points

  • DarkSword is a multi-stage iOS exploit chain leveraging several zero-day and n-day vulnerabilities to fully compromise devices.
  • The chain has been used by multiple actors — from suspected state groups (e.g. UNC6353) to commercial surveillance vendors and financially motivated criminals.
  • Observed malware families include Ghostblade, Ghostknife and Ghostsaber; attacks can steal data rapidly then remove traces within minutes.
  • Targets noted include Saudi Arabia, Turkey (linked to PARS Defense), Malaysia and Ukraine; delivery often via watering-hole webpages and one-click exploitation.
  • Notably dual-use: tooling explicitly targets both espionage (surveillance) and financial theft (cryptocurrency wallets), showing formal integration of monetisation features.
  • Operational security failures and code reuse have made the tools discoverable and reusable by less sophisticated actors, widening the threat market.
  • Apple has patched the flaws — update to iOS 18.7.6 or iOS 26.3.1; consider Lockdown Mode and standard hygiene (OS updates) to reduce exposure.

Content Summary

DarkSword is a sophisticated but widely repurposed exploit chain that combines multiple memory-corruption and privilege-escalation bugs to achieve full device compromise. Researchers tied the tooling to both commercial surveillance vendors and alleged state-backed groups; they also found signs the code or implants were created or augmented with large language models. Unlike narrowly-targeted espionage implants, DarkSword includes capabilities aimed at stealing cryptocurrencies — revealing an explicit dual-use/business model. The attacks are fast, stealthy and designed to extract sensitive data quickly before removing evidence from the device.

Although patches are available, a large installed base still runs older iOS builds — researchers estimate hundreds of millions could remain vulnerable — and the exploit market for iOS n-days is active. The incident highlights weak OPSEC by some offensive operators and the risk that advanced chains, once leaked or sold, proliferate to criminal customers.

Why should I read this?

Short version: this isn’t just another phone hack. DarkSword is a full-blown iOS exploit chain that’s being reused by spies and crooks alike — so if you or your users carry a vulnerable iPhone, it’s an easy ticket to losing data or funds. Read this to know which patches to apply, whether Lockdown Mode might help, and why you should stop assuming mobile zero-days are niche.

Source

Source: https://www.darkreading.com/threat-intelligence/darksword-iphone-exploit-spies-thieves