Breaking: DarkSword Exploit Compromises iPhones via Six Zero-Days
A sophisticated iOS exploit chain, dubbed DarkSword, is actively being used by both commercial surveillance vendors and state-sponsored groups to fully compromise devices running iOS 18.4 through 18.7, Google Threat Intelligence Group (GTIG) has confirmed.
The exploit leverages six zero-day vulnerabilities in a full chain attack, enabling threat actors to deploy final-stage payloads without any user interaction. GTIG has observed targets in Saudi Arabia, Turkey, Malaysia, and Ukraine since November 2025.
"This is a modular, high-sophistication exploit framework that rivals government-grade capabilities," said a GTIG security researcher. "Its rapid adoption across multiple threat actors indicates a leaked or shared tool that is now widely available."
Background: From Discovery to Proliferation
GTIG identified the exploit chain based on toolmarks found in recovered payloads, naming it DarkSword. Within a week of its initial detection, a version of DarkSword leaked onto the open internet, dramatically expanding its usage beyond the original operators.
The exploit supports iOS versions 18.4 through 18.7 and uses six distinct zero-days to bypass Apple's security layers. Three malware families have been linked to successful DarkSword infections: GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER.
- GHOSTBLADE: Advanced persistent surveillance tool
- GHOSTKNIFE: Data exfiltration and keylogging module
- GHOSTSABER: Full remote control and file manipulation
The spread mirrors the earlier Coruna iOS exploit kit, which was also used by multiple threat actors. Notably, UNC6353—a suspected Russian espionage group—has transitioned from Coruna to DarkSword in their watering hole attacks.
Active Campaigns and Targets
GTIG has tracked distinct campaigns employing DarkSword since November 2025. The identified victims include high-value individuals in Saudi Arabia, Turkey, Malaysia, and Ukraine.
"We're seeing both espionage-motivated actors and commercial spyware vendors using the exact same exploit chain," noted a cyber threat intelligence analyst. "This convergence is extremely dangerous and suggests the tool is being rented or sold."
What This Means for iOS Users
The immediate risk is highest for targeted individuals—journalists, activists, and government officials. However, the leak of DarkSword onto the public web increases the likelihood of broader, untargeted attacks.
Patching is critical. Apple has released security updates for the six zero-days exploited by DarkSword. Users running iOS 18.7 or later with the latest patches are currently protected against known variants.
"If you haven't updated your iPhone in the past week, do so immediately," urged a mobile security expert. "DarkSword is a live, active threat that can take full control of an unpatched device."
Organizations should enforce mandatory updates and monitor for indicators of compromise such as unexpected data usage or unusual background processes. GTIG continues to track DarkSword and will provide updates as new information emerges.