Urgent: DarkSword iOS Exploit Chain Spotted in Coordinated Attacks
Breaking — Google Threat Intelligence Group has uncovered a sophisticated iOS exploit chain, dubbed DarkSword, that has been actively deployed by at least three commercial surveillance vendors and suspected state-sponsored groups since November 2025. The campaign targets users in Saudi Arabia, Turkey, Malaysia, and Ukraine.
The exploit chain leverages six zero-day vulnerabilities affecting iOS versions 18.4 through 18.7. Apple has since patched all flaws with the release of iOS 26.3, but many users remain vulnerable if they have not updated.
Expert Commentary
“DarkSword represents a dangerous escalation in the commoditization of mobile exploit chains,” said a senior threat analyst at Google Threat Intelligence Group. “We are seeing the same tool being used by disparate actors, indicating it is likely being sold or traded among cyber mercenary groups.”
Another GTIG researcher added: “The proliferation mirrors what we saw with the Coruna iOS exploit kit. This is a troubling trend that lowers the barrier for entry into high-end mobile espionage.”
How DarkSword Works
After successful infection, victims are hit with one of three malware families: GHOSTBLADE, GHOSTKNIFE, or GHOSTSABER. These payloads enable full device compromise, including data theft and persistent access.
Recent Campaigns
Snapchat-Themed Lure Targets Saudi Arabia (UNC6748)
In November 2025, the threat actor UNC6748 set up a fake Snapchat page at snapshare[.]chat. The site used obfuscated JavaScript to deliver the DarkSword chain to Saudi users.
The page created an IFrame that fetched a second-stage resource (frame.html). It also checked a session storage key to avoid re-infection, a technique likely used to evade detection.
Russian Espionage Group UNC6353 Adopts DarkSword
Suspected Russian state-sponsored group UNC6353, previously linked to Coruna, has now integrated DarkSword into its watering hole campaigns. Targets have been observed in Ukraine, Turkey, and Malaysia.
Background
DarkSword was first detected by GTIG in late 2025. The exploit chain uses six zero-day flaws, all reported to Apple and patched in iOS 26.3. The vulnerabilities were also addressed in earlier iOS updates for most versions. Google has added involved domains to Safe Browsing and urges immediate updates.
The research was conducted in coordination with security firms Lookout and iVerify.
What This Means
The proliferation of DarkSword signals the emergence of a new exploit-as-a-service ecosystem for iOS. As more criminal and state actors gain access to such tools, the threat to high-value individuals — journalists, activists, executives — intensifies.
“This is no longer the domain of just a few advanced nations,” the GTIG analyst warned. “Commercial vendors are now enabling a wider range of threat actors to conduct targeted mobile espionage.”
Protection Steps
- Update to the latest iOS version (26.3 or later).
- Enable Lockdown Mode if you cannot update.
- Avoid clicking on suspicious links or visiting untrusted websites.
For further details, see the Discovery Timeline or Technical Analysis.
Discovery Timeline
GTIG observed DarkSword activity as early as November 2025. UNC6748 was the first identified user, followed by UNC6353 and other unnamed actors. The exploit chain was actively deployed for at least three months before patches were issued.
Technical Details of Exploit Chain
DarkSword exploits six vulnerabilities, including memory corruption bugs and a kernel privilege escalation. Each flaw is chained together to achieve remote code execution without user interaction. The payloads are modular and can be customized by the operator.
Full technical analysis is available in the Google Threat Intelligence report.