Google Threat Intelligence Group (GTIG) has uncovered a highly sophisticated iOS full-chain exploit dubbed DarkSword.
Active since November 2025, this exploit leverages multiple zero-day vulnerabilities to compromise Apple devices running iOS 18.4 through 18.7 fully.
DarkSword is highly unusual because it relies entirely on JavaScript throughout its exploit chain, thereby mitigating the need for a compiled binary.
Security researchers from Google have observed multiple threat actors, including state-sponsored espionage groups and commercial surveillance vendors, using this exploit chain to target high-profile victims in Saudi Arabia, Turkey, Malaysia, and Ukraine.
Threat Actor Attribution and Attack Methodologies
DarkSword has been adopted by at least three distinct threat actors, each tailoring the deployment mechanism to their specific operational needs.
The first cluster, identified as UNC6748, targeted users in Saudi Arabia using a deceptive Snapchat-themed website.
The attackers used JavaScript obfuscation and session storage checks to prevent re-infecting previous victims.
When a target accessed the landing page, the exploit loaded remote code execution modules via an invisible frame to deploy the GHOSTKNIFE malware.
A second campaign was orchestrated by the Turkish commercial surveillance vendor PARS Defense.
They targeted users in Turkey and Malaysia with an enhanced version of the exploit loader.
This group applied stricter operational security, including strong encryption for their exploit payloads and advanced device fingerprinting, to deploy the GHOSTSABER backdoor.
Finally, the suspected Russian espionage group UNC6353 integrated DarkSword into a watering-hole campaign targeting Ukrainian websites.
They injected malicious scripts into compromised sites to deliver the GHOSTBLADE data miner.
Interestingly, UNC6353 used only the exploit modules for iOS 18.4 through 18.6, despite the availability of an iOS 18.7 exploit.
Upon successful exploitation, the attackers deployed one of three distinct JavaScript-based payloads designed for extensive data theft.
The GHOSTKNIFE malware, utilized by UNC6748, exfiltrates messages, location history, and browser data.
It also supports audio recording and file downloads, and it actively deletes crash logs to hide its presence on the device.
PARS Defense deployed GHOSTSABER, a highly capable backdoor that communicates via HTTP(S).
It performs detailed device enumeration, file exfiltration, arbitrary SQL query execution, and dynamic JavaScript execution, making it a versatile espionage tool.
The GHOSTBLADE data miner, used by UNC6353, focuses heavily on extracting personal data from iMessage, Telegram, WhatsApp, cryptocurrency wallets, and hidden photos.
While it lacks continuous backdoor functionality, its extensive data collection capabilities pose a severe privacy risk to infected targets.
DarkSword chains six specific vulnerabilities to achieve a full device compromise. The exploit sequence begins with remote code execution in WebKit using memory corruption vulnerabilities in JavaScriptCore (CVE-2025-31277 and the zero-day CVE-2025-43529).
These are combined with a user-mode PAC bypass in dyld (CVE-2026-20700). The attackers then execute multiple sandbox escapes into the GPU and media processes using an ANGLE memory corruption flaw (CVE-2025-14174).
Finally, they achieve kernel privileges by exploiting iOS kernel memory vulnerabilities (CVE-2025-43510 and CVE-2025-43520).
Apple successfully patched all vulnerabilities exploited by the DarkSword chain with the release of iOS 26.3.
Security experts strongly recommend that users update their devices to the latest firmware immediately.
For individuals at high risk of targeted cyberattacks, enabling Apple’s Lockdown Mode is highly advised.
Lockdown Mode restricts vulnerable features such as JavaScript compilation and specific web technologies, effectively neutralizing the remote code execution techniques used by the DarkSword exploit chain.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
