DarkSword Zero-Day Exploit Chain Gives Hackers Full Control of iPhones
scsecMarch 19, 20263 Mins read 
A powerful new iOS exploit kit named DarkSword is being used by multiple threat actors to carry out large-scale data theft operations against iPhones. The framework has been active since at least November 2025 and is capable of achieving full device compromise with minimal user interaction.
The threat was uncovered through investigations by Google Threat Intelligence Group, Lookout, and iVerify, who linked it to cyber espionage campaigns across Saudi Arabia, Turkey, Malaysia, and Ukraine.
Overview and Targets
DarkSword is the second major iOS exploit kit discovered in a short span, following Coruna. It targets iPhones running iOS versions 18.4 to 18.7 and has been used by several actors, including the suspected Russian-linked group UNC6353, particularly in attacks against Ukrainian users.
Like Coruna, the exploit is delivered through compromised websites in watering hole attacks, where malicious JavaScript is injected to silently target visitors.
Exploit Chain and Zero-Day Usage
DarkSword relies on a chain of six vulnerabilities to fully compromise devices. Three of these were actively exploited as zero-days before being patched:
- CVE-2026-20700 (PAC bypass in dyld)
- CVE-2025-43529 (JavaScriptCore memory corruption)
- CVE-2025-14174 (ANGLE memory corruption)
The remaining vulnerabilities include flaws in JavaScriptCore and the iOS kernel, enabling remote code execution, sandbox escape, and privilege escalation.
The exploit dynamically selects the appropriate attack path based on the device’s iOS version, ensuring high success rates.
Attack Methodology
The attack begins when a user visits a compromised website using Safari. A malicious iframe loads JavaScript that fingerprints the device and determines whether it is vulnerable.
If a match is found, the exploit chain is triggered:
- Initial code execution is achieved via JavaScriptCore vulnerabilities
- A PAC bypass enables deeper system access
- The exploit escapes the Safari WebContent sandbox
- Additional vulnerabilities allow pivoting into privileged system processes such as the GPU process and mediaplaybackd
- A final kernel exploit grants full read/write capabilities and code execution
Once control is established, a central orchestrator deploys additional modules and injects data exfiltration components into core system services like SpringBoard.
Malware and Data Theft Capabilities
DarkSword delivers multiple payloads, including:
- GHOSTBLADE: A data-harvesting malware that extracts sensitive information
- GHOSTKNIFE: A backdoor used for surveillance and data exfiltration
- GHOSTSABER: A flexible JavaScript-based backdoor for executing commands and stealing data
The malware is capable of collecting:
- Emails and iCloud files
- Contacts, SMS, and call logs
- Browser history and cookies
- Cryptocurrency wallet and exchange data
- Usernames and passwords
- Photos and media files
- Location history
- Wi-Fi configurations and passwords
- Installed apps and connected accounts
- Data from Apple apps such as Notes and Health
- Messages from apps like Telegram and WhatsApp
Hit-and-Run Strategy
Unlike traditional spyware, DarkSword is designed for rapid operations. It quickly gathers targeted data, exfiltrates it within seconds or minutes, and then deletes traces of its activity before exiting the device. This minimizes detection and avoids long-term persistence.
Threat Actors and Campaigns
DarkSword has been linked to multiple actors:
- UNC6353: Used the exploit in attacks against Ukraine, likely aligned with Russian intelligence objectives
- UNC6748: Targeted Saudi users through a fake Snapchat-themed site delivering GHOSTKNIFE
- Activity tied to PARS Defense: Used DarkSword in Turkey and Malaysia to deploy GHOSTSABER with enhanced operational security
Researchers believe that the availability of such exploit kits points to a growing commercial market for advanced mobile exploits, allowing even less sophisticated actors to launch high-end attacks.
Technical Insights
DarkSword stands out for its modular and well-structured design, written largely in JavaScript. Analysis suggests it may have been adapted from earlier versions targeting older iOS releases, indicating ongoing development and reuse.
Despite its sophistication, researchers noted weak operational security in some deployments, such as lack of code obfuscation and simplistic infrastructure.
Broader Implications
The emergence of both DarkSword and Coruna highlights the increasing proliferation of advanced exploit chains across different threat actors and regions. It also raises concerns about how widely accessible such capabilities have become in the cybercrime and surveillance ecosystem.
Security experts warn that millions of devices running unpatched iOS versions could be at risk, especially those not updated beyond iOS 18.6.2.
1 Comment
Leave a Reply
Related Articles
Perseus Android Malware Steals Passwords and Crypto from User Notes
A newly discovered Android malware named Perseus is targeting users by scanning...
DarkSword Exploit Hits iPhones, Stealing Crypto Wallets and Sensitive Data at Scale
A newly discovered iOS exploit framework called DarkSword is being actively used...
Critical SQL Injection Flaw in Ally WordPress Plugin Leaves Over 200,000 Websites Exposed
SQL Injection Vulnerability in Ally WordPress Plugin Exposes Over 200,000 Websites A...
Interpol-Led Global Cybercrime Crackdown Dismantles 45,000 Malicious IPs and Arrests Dozens
Interpol and Global Partners Shut Down 45,000 Malicious IPs in Cybercrime Crackdown...
This is a serious escalation in mobile threat capabilities. The combination of multiple vulnerabilities, including zero-days, into a single exploit chain shows how advanced and accessible these attack tools have become. The “hit-and-run” approach is particularly concerning, as it minimizes detection while maximizing data theft. This should serve as a strong reminder for users and organizations to prioritize timely updates and adopt additional security measures, especially when handling sensitive data like cryptocurrency and personal communications.