The Google Threat Intelligence Group (GTIG) has identified a new exploit chain named DarkSword, which has been utilized by various threat actors to compromise iOS devices. This exploit leverages multiple zero-day vulnerabilities, affecting iOS versions 18.4 through 18.7, and has been linked to campaigns targeting regions including Saudi Arabia, Turkey, Malaysia, and Ukraine.
Overview of DarkSword
DarkSword employs six distinct vulnerabilities to deploy final-stage payloads, leading to the installation of malware families such as GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER. The exploit chain's proliferation among different actors mirrors the previously noted Coruna iOS exploit kit.
Threat Actors and Campaigns
Since November 2025, GTIG has observed commercial surveillance vendors and suspected state-sponsored actors using DarkSword in various campaigns. Notable actors include:
- UNC6748: Targeted Saudi Arabian users via a Snapchat-themed website.
- PARS Defense: Conducted operations in Turkey and Malaysia, employing advanced obfuscation techniques.
- UNC6353: A suspected Russian espionage group that has recently adopted DarkSword for watering hole attacks against Ukrainian users.
Technical Details
DarkSword's exploit chain is sophisticated yet employs basic mechanisms for loading exploits compared to other exploit kits. Each stage of the exploit is written in JavaScript, which simplifies the process of executing the payloads without needing to bypass iOS's Page Protection Layer or Secure Page Table Monitor mitigations.
Vulnerabilities Exploited
| Exploit Module | CVE | Description | Patched in iOS Version(s) |
|---|---|---|---|
| rce_module.js | CVE-2025-31277 | Memory corruption vulnerability in JavaScriptCore | 18.6 |
| rce_worker_18.4.js | CVE-2026-20700 | User-mode PAC bypass in dyld | 26.3 |
| rce_worker_18.6.js | CVE-2025-43529 | Memory corruption vulnerability in JavaScriptCore | 18.7.3, 26.2 |
Recommendations
GTIG reported the vulnerabilities used in DarkSword to Apple in late 2025, leading to patches released in iOS 26.3. Users are strongly advised to update their devices to the latest iOS version. For those unable to update, enabling Lockdown Mode is recommended for enhanced security.
Conclusion
The emergence of DarkSword highlights the ongoing risk of exploit proliferation among various actors. Continued vigilance and timely updates are essential for mitigating these threats.
