A sophisticated iOS exploit framework known as DarkSword has been actively used by multiple threat actors since late 2025 to compromise Apple devices and extract sensitive user data. Research from Google Threat Intelligence Group (GTIG), iVerify, and Lookout reveals that the exploit kit enables near-complete device takeover with minimal user interaction.
DarkSword has been deployed in campaigns targeting regions such as Saudi Arabia, Turkey, Malaysia, and Ukraine, and is believed to be used by both commercial surveillance vendors and suspected state-sponsored actors.
A New Wave of iOS Exploit Kits
The discovery of DarkSword follows closely after another exploit kit, Coruna, highlighting a growing ecosystem of advanced iOS attack frameworks. These kits are designed to provide attackers with full-chain exploitation capabilities, enabling complete control over targeted devices.
DarkSword specifically targets iPhones running iOS versions 18.4 through 18.7, and has been linked to a threat group identified as UNC6353, which has previously conducted attacks against Ukrainian users.
Multi-Stage Exploit Chain
The DarkSword framework uses six vulnerabilities, including three zero-days, to execute its attack chain:
Three of these vulnerabilities were exploited as zero-days before being patched by Apple.
The attack begins when a user visits a compromised website through Safari. A hidden iFrame loads malicious JavaScript that fingerprints the device and determines whether it matches the targeted iOS version.
How the Attack Works
Once triggered, the exploit chain:
- Achieves remote code execution through JavaScriptCore vulnerabilities
- Escapes the Safari sandbox using GPU-related flaws
- Injects into system-level processes such as mediaplaybackd
- Escalates privileges using kernel vulnerabilities
This process ultimately allows attackers to run code with elevated permissions and access restricted system areas.
Data Theft Capabilities
The deployed malware, often referred to as GHOSTBLADE, is capable of extracting a wide range of sensitive information, including:
- Emails and iCloud files
- Contacts, SMS, and call logs
- Browser history and cookies
- Cryptocurrency wallet and exchange data
- Usernames and passwords
- Photos and app data
- Wi-Fi credentials and location history
- Messages from apps like Telegram and WhatsApp
Hit-and-Run Data Exfiltration
Unlike traditional spyware, DarkSword follows a “hit-and-run” approach. It rapidly collects and exfiltrates data within seconds or minutes, then removes traces of its activity to minimize detection.
This approach reduces dwell time and makes forensic analysis significantly more difficult.
Expanding Threat Landscape
The exploit kit has also been linked to other threat actors:
- UNC6748 – Targeted users via a fake Snapchat-themed website to deploy a JavaScript backdoor known as GHOSTKNIFE
- PARS Defense – A Turkish surveillance vendor that used DarkSword to deploy GHOSTSABER for device enumeration and data theft
The attacks primarily rely on watering hole techniques, where legitimate websites are compromised to deliver exploits to visitors.
Key Security Concerns
Researchers highlight several critical risks:
- Growth of a commercial exploit market
- Availability of advanced tools to financially motivated actors
- Increased use of zero-day vulnerabilities
- Large number of unpatched iOS devices at risk
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
