DarkSword - New iOS Exploit Chain Adopted by Threat Actors
Basically, DarkSword is a new tool that hackers use to break into iPhones.
A new iOS exploit chain called DarkSword is being used by various threat actors. This poses serious risks to users' devices and data. Security experts recommend updating iOS to mitigate these threats.
The Threat
The Google Threat Intelligence Group (GTIG) has uncovered a new exploit chain for iOS devices named DarkSword. This exploit leverages multiple zero-day vulnerabilities to fully compromise devices running iOS versions 18.4 through 18.7. Since its discovery in November 2025, DarkSword has been adopted by various threat actors, including commercial surveillance vendors and suspected state-sponsored groups. Notably, it has been observed in campaigns targeting users in countries like Saudi Arabia, Turkey, Malaysia, and Ukraine.
DarkSword utilizes a complex mechanism involving six different vulnerabilities to deploy its final payloads. Among the malware families associated with DarkSword, GHOSTKNIFE stands out as a significant threat. This malware is designed to exfiltrate sensitive data, including messages and location history, from compromised devices. The emergence of DarkSword highlights a troubling trend where multiple threat actors are leveraging the same exploit chain for diverse malicious purposes.
Who's Behind It
The exploit chain has been linked to various threat actors, including the UNC6748 group, which has been observed using DarkSword to target individuals through deceptive websites. This group has shown a keen interest in exploiting vulnerabilities to gain unauthorized access to devices. Additionally, PARS Defense, a surveillance vendor, has also been implicated in using DarkSword in its operations, particularly in Turkey and Malaysia.
What makes DarkSword particularly alarming is its adoption by state-sponsored actors like UNC6353, a suspected Russian espionage group. This group has integrated DarkSword into their watering hole attacks, further emphasizing the exploit's versatility and threat level. The use of such sophisticated tools by various actors raises concerns about the potential for widespread exploitation.
Tactics & Techniques
DarkSword employs a multi-stage infection process, beginning with a deceptive landing page that tricks users into executing malicious scripts. The exploit chain is capable of adapting to different iOS versions, ensuring that it remains effective against the latest updates. For instance, the GHOSTKNIFE payload can gather extensive data from infected devices, including account information and audio recordings.
Moreover, the exploit's design incorporates advanced techniques such as obfuscation and encryption, making it difficult for security researchers to analyze and mitigate its impact. This adaptability and stealthiness allow DarkSword to thrive in various environments, posing a significant risk to iOS users worldwide.
Defensive Measures
In response to the emergence of DarkSword, GTIG has taken proactive steps by reporting the vulnerabilities used in this exploit chain to Apple. All identified vulnerabilities were subsequently patched in the release of iOS 26.3. However, users are strongly urged to update their devices to the latest version of iOS to protect against potential exploitation.
For those unable to update, enabling Lockdown Mode is recommended as an additional layer of security. Furthermore, users should remain vigilant and avoid clicking on suspicious links or visiting untrusted websites. The proliferation of DarkSword serves as a stark reminder of the evolving threat landscape in cybersecurity, necessitating continuous awareness and proactive defenses.
Mandiant Threat Intel