Google Threat Intelligence Group (GTIG), iVerify, and Lookout have jointly uncovered DarkSword, a sophisticated iOS exploit kit that enables complete device compromise with minimal user interaction. The kit, operational since at least November 2025, has been deployed by suspected Russian state-sponsored actors targeting Ukrainian users, as well as commercial surveillance vendors across multiple countries.
Six Vulnerabilities, Three Zero-Days
DarkSword chains together six distinct vulnerabilities to achieve full device access:
- CVE-2025-31277 – JavaScriptCore memory corruption (patched in iOS 18.6)
- CVE-2026-20700 – dyld pointer authentication bypass (zero-day, patched in iOS 26.3)
- CVE-2025-43529 – JavaScriptCore garbage collection bug (zero-day, patched in iOS 18.7.3/26.2)
- CVE-2025-14174 – ANGLE memory corruption (zero-day, patched in iOS 18.7.3/26.2)
- CVE-2025-43510 – iOS kernel memory management flaw (patched in iOS 18.7.2/26.1)
- CVE-2025-43520 – iOS kernel memory corruption (patched in iOS 18.7.2/26.1)
The exploit kit targets iPhones running iOS versions 18.4 through 18.7, affecting potentially hundreds of millions of devices worldwide.
Attack Chain and GHOSTBLADE Payload
When a victim visits a compromised website via Safari, DarkSword’s JavaScript framework fingerprints the device to determine vulnerability. The attack proceeds through multiple stages:
- Initial JavaScript exploitation achieves remote code execution
- Sandbox escape from WebContent to GPU process via WebGPU
- Privilege escalation through injection into mediaplaybackd daemon
- Kernel exploitation for arbitrary read/write capabilities
- Deployment of GHOSTBLADE dataminer malware
GHOSTBLADE harvests an extensive range of sensitive data including emails, iCloud Drive files, contacts, SMS messages, Safari history, cryptocurrency wallet data, credentials, photos, call history, WiFi passwords, location history, and message histories from Telegram and WhatsApp.
Russian Espionage Nexus
GTIG attributes DarkSword deployment to UNC6353, a suspected Russian espionage group that has also utilized the recently discovered Coruna exploit kit. The group primarily targets Ukrainian users through watering hole attacks on compromised websites.
Beyond state-sponsored operations, commercial surveillance vendors including Turkey’s PARS Defense have been observed using DarkSword in campaigns targeting Saudi Arabia, Turkey, Malaysia, and Ukraine.
Hit-and-Run Methodology
Unlike traditional spyware designed for persistent surveillance, DarkSword operates on a “hit-and-run” model. According to Lookout, the malware collects and exfiltrates targeted data within seconds to minutes, then performs cleanup operations to minimize dwell time and forensic evidence.
“Given that both Coruna and DarkSword have capabilities for cryptocurrency theft and intelligence gathering, we must consider the possibility that UNC6353 is a Russia-backed privateer group or criminal proxy threat actor,” Lookout researchers noted.
Defensive Recommendations
- Update immediately to iOS 26.3 or later to patch all exploited vulnerabilities
- Enable Lockdown Mode for high-risk users
- Audit organizational devices for iOS versions in the vulnerable range (18.4-18.7)
- Monitor for unusual network traffic to unknown infrastructure
- Consider mobile threat detection solutions capable of identifying exploit kit behavior
Why This Matters
DarkSword represents the second sophisticated iOS exploit kit discovered within a month, following Coruna. The rapid proliferation of these tools across nation-state actors and commercial surveillance vendors demonstrates that top-tier mobile exploits are increasingly available to threat actors beyond elite intelligence services. Organizations with staff operating in conflict zones or high-risk regions should prioritize iOS patching and mobile security controls.
