DarkSword iOS Exploit Chain: A Growing Threat Across Multiple Actors and Regions
Google Threat Intelligence reveals DarkSword, an iOS exploit chain used by multiple threat actors since Nov 2025, targeting several countries with zero-day vulnerabilities.
Overview of DarkSword
In late 2025, Google Threat Intelligence Group (GTIG) uncovered a sophisticated iOS exploit chain dubbed DarkSword. This full-chain exploit leverages multiple zero-day vulnerabilities to gain complete control over targeted devices. Since at least November 2025, GTIG has observed a troubling proliferation: several commercial surveillance vendors and suspected state-sponsored groups have adopted DarkSword for distinct campaigns. Victims have been identified in Saudi Arabia, Turkey, Malaysia, and Ukraine.
Vulnerabilities and Affected iOS Versions
DarkSword targets iOS versions 18.4 through 18.7 and exploits a chain of six distinct vulnerabilities to deliver final-stage malicious payloads. GTIG reported all six to Apple, and the company patched them with the release of iOS 26.3 (most were fixed even earlier). The exploit chain demonstrates a high degree of technical sophistication, combining multiple flaws to bypass security layers.
Discovery Timeline
GTIG's monitoring detected the first DarkSword campaigns in November 2025. The timeline (see Figure 1 in the original report) shows a rapid spread across different threat actors. This pattern mirrors the earlier Coruna iOS exploit kit, which also saw widespread adoption. Notably, the suspected Russian espionage group UNC6353 — previously known for using Coruna — has now integrated DarkSword into its watering hole attacks.
Threat Actors and Campaigns
UNC6748: Saudi Arabian Users Targeted via Snapchat Lure
In early November 2025, GTIG identified the cluster UNC6748 using a deceptive website, snapshare[.]chat, that mimicked a Snapchat theme to lure Saudi Arabian users. The landing page contained obfuscated JavaScript that created an IFrame to fetch a secondary resource, frame.html. The script also set a session storage key named uid and checked for its presence before loading the IFrame — likely a mechanism to prevent reinfection or to track victims. This campaign exemplifies how DarkSword is deployed via social engineering.
UNC6353 and Broader State-Sponsored Use
Beyond UNC6748, GTIG assesses that other commercial surveillance vendors and state actors are likely leveraging DarkSword. The appearance of the same exploit chain across disparate groups suggests a shared source or a marketplace for the exploit. The involvement of UNC6353 (a Russian espionage actor) adds a geopolitical dimension, with campaigns observed in Turkey and Ukraine.
Malware Payloads: GHOSTBLADE, GHOSTKNIFE, GHOSTSABER
Once DarkSword compromises a device, it drops one of three known malware families. GTIG has named them GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER. These payloads perform various espionage functions, including data exfiltration and persistent surveillance. The diversity of malware suggests that different actors customize the final stage to suit their objectives.
Mitigation and Response
Apple has patched all vulnerabilities exploited by DarkSword in iOS 26.3 (and earlier versions for most flaws). GTIG has added domains used in DarkSword delivery to Safe Browsing. Users are strongly urged to update their devices to the latest iOS version. For devices that cannot be updated, enabling Lockdown Mode provides an additional layer of protection. This research is published in coordination with industry partners Lookout and iVerify.
For more details, refer to the overview, timeline, or threat actor analysis above.