DarkSword: The iOS Zero-Day Exploit Chain Now Widely Used by Multiple Threat Groups
A sophisticated piece of malware, likely designed by a government entity, has been targeting iOS devices through a full-chain exploit. Dubbed DarkSword, this threat was uncovered by the Google Threat Intelligence Group (GTIG), which traced its origins to multiple zero-day vulnerabilities. Since at least November 2025, commercial surveillance vendors and suspected state-sponsored actors have been deploying DarkSword in distinct campaigns across several countries.
Discovery and Attribution
GTIG identified DarkSword after analyzing recovered payloads from compromised devices. The exploit chain leverages six different vulnerabilities to gain full control over iPhones running iOS versions 18.4 through 18.7. Based on toolmarks found in the malware, researchers believe DarkSword was engineered by a government-backed entity, although the exact origin remains unconfirmed.
Vulnerabilities and Affected iOS Versions
DarkSword exploits a series of zero-day flaws that allow it to bypass iOS security measures. The full-chain attack uses these vulnerabilities in sequence to execute final-stage payloads without user interaction. GTIG has confirmed that the exploit works on iOS 18.4 to 18.7, making a substantial number of devices vulnerable before patches were released.
Malware Families Deployed
Following a successful DarkSword compromise, GTIG observed three distinct malware families being deployed:
- GHOSTBLADE – A stealthy backdoor that establishes persistent remote access.
- GHOSTKNIFE – A data exfiltration tool designed to steal sensitive information.
- GHOSTSABER – A modular implant capable of executing additional commands.
These payloads are tailored to the attacker’s objectives, ranging from espionage to surveillance.
Threat Actors and Campaigns
DarkSword has been deployed in multiple targeted campaigns, with victims identified in Saudi Arabia, Turkey, Malaysia, and Ukraine. The threat actors behind these operations include commercial surveillance vendors and state-sponsored groups. Notably, UNC6353—a suspected Russian espionage group previously linked to the Coruna iOS exploit kit—has now incorporated DarkSword into their watering hole attacks. This pattern of a single exploit chain being used by disparate groups mirrors the earlier spread of Coruna.
Leak and Current Risk
Approximately one week after GTIG’s initial discovery, a version of the DarkSword exploit chain leaked publicly on the internet. This has enabled a broader range of malicious actors to access the tool, increasing the overall threat landscape. However, the information in this article is based on reports that are now a month old. Apple has since released security updates that address the vulnerabilities exploited by DarkSword. As long as users keep their iOS devices updated with the latest patches, the risk of infection is significantly reduced.
Staying Safe
To protect against DarkSword and similar threats, always install the latest iOS updates promptly. Avoid clicking on suspicious links or downloading untrusted apps. For organizations, implementing robust mobile device management and monitoring for unusual network activity can help detect potential compromises.
Related Articles
- Urgent: Cybersecurity Experts Warn of Rising Destructive Attack Threats - New 2026 Preparedness Guide Released
- How to Detect and Remediate Malicious Container Images from the KICS and Trivy Supply Chain Attacks
- Microsoft's March 2026 Security Patch: 77 Vulnerabilities Fixed, No Zero-Days But AI-Discovered Bug Raises Eyebrows
- BRICKSTORM Malware: Defending vSphere Environments
- Cybersecurity Roundup: SMS Blaster Fraud, OpenEMR Vulnerabilities, and Massive Roblox Breach
- New npm Attack Vectors Emerge: Wormable Malware and CI/CD Pipeline Breaches Revealed
- 5 Critical Lessons from the 2026 Docker Hub Supply Chain Attacks on Trivy and KICS
- How Frontier AI is Transforming Cyber Defense: A Q&A