Google Threat Intelligence Group (GTIG) has uncovered a highly sophisticated full-chain iOS exploit dubbed “DarkSword,” actively targeting Apple users since November 2025.
The exploit chain leverages multiple zero-day vulnerabilities to fully compromise devices running iOS versions 18.4 through 18.7, marking one of the most advanced mobile attack campaigns observed in recent years.
What makes DarkSword particularly notable is its exclusive reliance on JavaScript across the entire exploit chain.
Unlike traditional exploits that depend on compiled binaries, this approach allows attackers to execute malicious logic entirely within web contexts, significantly reducing detection and increasing flexibility.
According to Google researchers, the exploit has been deployed by multiple threat actors, including state-sponsored espionage groups and commercial surveillance vendors.
Confirmed targets span regions such as Saudi Arabia, Turkey, Malaysia, and Ukraine, with campaigns tailored to specific geopolitical objectives.
Multi-Actor Deployment and Techniques
DarkSword has been adopted by at least three distinct threat clusters, each modifying delivery mechanisms and payload behavior.
The first group, tracked as UNC6748, targeted victims in Saudi Arabia using a deceptive Snapchat-themed phishing domain, “snapshare[.]chat.”
The attack chain incorporated JavaScript obfuscation and session storage validation to avoid reinfecting previously compromised devices.
Upon visiting the malicious page, an invisible iframe triggered remote code execution, deploying a JavaScript-based spyware known as GHOSTKNIFE.
A second campaign has been attributed to PARS Defense, a Turkish commercial surveillance vendor. This group targeted users in Turkey and Malaysia, employing enhanced operational security measures such as strong payload encryption and advanced device fingerprinting.
Their payload, GHOSTSABER, functions as a robust backdoor capable of HTTP(S)-based command-and-control communication, enabling device enumeration, file exfiltration, SQL query execution, and dynamic script execution.
Meanwhile, a suspected Russian-linked group, UNC6353, integrated DarkSword into a watering-hole campaign aimed at Ukrainian websites.
By injecting malicious scripts into legitimate sites, the attackers delivered the GHOSTBLADE data miner. Interestingly, this group limited exploitation to iOS versions 18.4 through 18.6, despite the availability of newer exploit modules.
Post-exploitation, DarkSword deploys one of three specialized payloads designed for large-scale data exfiltration.
GHOSTKNIFE focuses on extracting messages, browser data, and location history, while also enabling audio recording and file retrieval. It actively removes crash logs to evade forensic detection.
GHOSTSABER, in contrast, provides persistent access and extensive surveillance capabilities, making it suitable for long-term intelligence gathering operations.
GHOSTBLADE prioritizes bulk data collection, targeting messaging platforms such as iMessage, WhatsApp, and Telegram, along with cryptocurrency wallets and hidden media files.
Although it lacks persistent control features, its data harvesting scope presents a significant privacy threat.
Vulnerability Chain and Patching
The DarkSword exploit chain combines six vulnerabilities to achieve full device compromise. It begins with remote code execution in WebKit through JavaScriptCore memory corruption flaws (CVE-2025-31277 and CVE-2025-43529).
Attackers then bypass pointer authentication via a dyld vulnerability (CVE-2026-20700), followed by sandbox escapes using an ANGLE memory corruption bug (CVE-2025-14174).
The final stage involves privilege escalation through two iOS kernel vulnerabilities (CVE-2025-43510 and CVE-2025-43520), granting attackers complete control over the device.
Apple has addressed all identified vulnerabilities in iOS 26.3. Security experts strongly advise users to update immediately to mitigate risk.
Additionally, high-risk individuals are encouraged to enable Apple’s Lockdown Mode, which restricts JavaScript execution and other web features commonly abused in such exploit chains.
The discovery of DarkSword underscores a growing trend toward stealthier, browser-based mobile exploitation techniques that blur the line between web and device-level attacks.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google
