DarkSword: The iOS Zero-Day Exploit Chain Now Widely Used by Multiple Threat Groups

A sophisticated piece of malware, likely designed by a government entity, has been targeting iOS devices through a full-chain exploit. Dubbed DarkSword, this threat was uncovered by the Google Threat Intelligence Group (GTIG), which traced its origins to multiple zero-day vulnerabilities. Since at least November 2025, commercial surveillance vendors and suspected state-sponsored actors have been deploying DarkSword in distinct campaigns across several countries.

Discovery and Attribution

GTIG identified DarkSword after analyzing recovered payloads from compromised devices. The exploit chain leverages six different vulnerabilities to gain full control over iPhones running iOS versions 18.4 through 18.7. Based on toolmarks found in the malware, researchers believe DarkSword was engineered by a government-backed entity, although the exact origin remains unconfirmed.

DarkSword: The iOS Zero-Day Exploit Chain Now Widely Used by Multiple Threat Groups — Source: www.schneier.com

Vulnerabilities and Affected iOS Versions

DarkSword exploits a series of zero-day flaws that allow it to bypass iOS security measures. The full-chain attack uses these vulnerabilities in sequence to execute final-stage payloads without user interaction. GTIG has confirmed that the exploit works on iOS 18.4 to 18.7, making a substantial number of devices vulnerable before patches were released.

Malware Families Deployed

Following a successful DarkSword compromise, GTIG observed three distinct malware families being deployed:

GHOSTBLADE – A stealthy backdoor that establishes persistent remote access.
GHOSTKNIFE – A data exfiltration tool designed to steal sensitive information.
GHOSTSABER – A modular implant capable of executing additional commands.

These payloads are tailored to the attacker’s objectives, ranging from espionage to surveillance.

Threat Actors and Campaigns

DarkSword has been deployed in multiple targeted campaigns, with victims identified in Saudi Arabia, Turkey, Malaysia, and Ukraine. The threat actors behind these operations include commercial surveillance vendors and state-sponsored groups. Notably, UNC6353—a suspected Russian espionage group previously linked to the Coruna iOS exploit kit—has now incorporated DarkSword into their watering hole attacks. This pattern of a single exploit chain being used by disparate groups mirrors the earlier spread of Coruna.

Leak and Current Risk

Approximately one week after GTIG’s initial discovery, a version of the DarkSword exploit chain leaked publicly on the internet. This has enabled a broader range of malicious actors to access the tool, increasing the overall threat landscape. However, the information in this article is based on reports that are now a month old. Apple has since released security updates that address the vulnerabilities exploited by DarkSword. As long as users keep their iOS devices updated with the latest patches, the risk of infection is significantly reduced.

Staying Safe

To protect against DarkSword and similar threats, always install the latest iOS updates promptly. Avoid clicking on suspicious links or downloading untrusted apps. For organizations, implementing robust mobile device management and monitoring for unusual network activity can help detect potential compromises.

Tags: