Leaked iOS Exploit Kit on GitHub Puts Mass iPhone Spying Within Easy Reach

A researcher in Turkey visited a news website on his iPhone last November and had his messages, location history, and cryptocurrency wallet data silently stolen within minutes. He never knew. The tool that did it, an iOS exploit kit called DarkSword, was a closely held weapon at the time. On March 23, someone posted a newer version of it to GitHub for anyone to copy.

Cybersecurity researchers had uncovered DarkSword just the week prior in a targeted hacking campaign against iPhone users. Then a newer version appeared publicly on GitHub, the code-sharing platform used by millions of developers worldwide. The shift from targeted espionage tool to public download represents a sharp escalation in risk for hundreds of millions of people who have not updated their iPhones.

"This is bad. They are way too easy to repurpose," said Matthias Frielingsdorf, co-founder of mobile security startup iVerify. "I don't think that can be contained anymore. So we need to expect criminals and others to start deploying this."

The files uploaded to GitHub are uncomplicated, just HTML and JavaScript, meaning anyone can copy and paste them and host them on a server "in a couple minutes to hours," Frielingsdorf said. "The exploits will work out of the box." Kimberly Samra, a spokesperson for Google, which previously analyzed the DarkSword exploit, said the company's researchers agree with Frielingsdorf's assessment.

The DarkSword delivery framework chains six vulnerabilities tracked as CVE-2025-31277, CVE-2025-43529, CVE-2026-20700, CVE-2025-14174, CVE-2025-43510, and CVE-2025-43520. These flaws enable attackers to escape sandboxes, escalate privileges, and gain remote code execution on unpatched iPhones, but have all been patched by Apple in the latest iOS releases and now affect iPhones running iOS 18.4 through 18.7.

DarkSword has been active since at least November 2025 and has been adopted by multiple threat actors across espionage, cybercriminal, and commercial surveillance operations. The exploit chain delivers three distinct malware families, GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER, capable of exfiltrating credentials, cryptocurrency wallet and exchange data, iCloud files, location history, SMS messages, and Safari cookies.

UNC6353, a suspected Russian espionage group previously observed using the related Coruna exploit kit, recently incorporated DarkSword into watering hole campaigns. Turkish commercial surveillance vendor PARS Defense also used DarkSword in November 2025 and January 2026 as part of campaigns targeting users in Turkey and Malaysia, deploying GHOSTSABER, a JavaScript backdoor that facilitates device and account enumeration, file listing, and data exfiltration.

Lookout Threat Labs describes the exploit's approach as a "hit-and-run" technique, rapidly exfiltrating sensitive data, including credentials and cryptocurrency wallets, within minutes before erasing its presence to evade detection. Lookout researchers found that DarkSword exhibits signs of codebase expansion using large language model assistance, particularly visible in multiple code comments that explain functionality. "This malware is highly sophisticated and appears to be a professionally designed platform enabling rapid development of modules through access to a high level programming language," Lookout said.

The scale of the potential victim pool is staggering. Researchers warned the leak will allow any hacker to easily target iPhone users running older versions of iOS. This likely affects hundreds of millions of actively used iPhones and iPads, according to Apple's own data on out-of-date devices. iVerify estimates that 14.2% of users, approximately 221 million devices, running iOS versions between 18.4 and 18.6.2 are believed to be vulnerable.

Apple spokesperson Sarah O'Rourke told reporters that the company was aware of the exploit targeting devices running older and out-of-date operating systems and issued an emergency update on March 11 for devices unable to run recent versions of iOS. "Keeping your software up to date is the single most important thing you can do to maintain the security of your Apple products," O'Rourke said, adding that Lockdown Mode would also block these specific attacks.

CISA added three of the six DarkSword vulnerabilities, CVE-2025-31277, CVE-2025-43510, and CVE-2025-43520, to its catalog of actively exploited security flaws, ordering Federal Civilian Executive Branch agencies to patch.

DarkSword's emergence follows Coruna, a spy-grade iOS exploit kit disclosed just two weeks earlier containing five full iOS exploit chains and a total of 23 exploits. DarkSword chains six vulnerabilities to achieve remote code execution on vulnerable iPhones and deploy its malicious payloads. Researchers noted Coruna was originally developed by defense contractor L3Harris, whose Trenchant division makes hacking tools for the U.S. government and its allies, drawing a direct line from government-grade tooling to code now freely downloadable by anyone with a browser. With the GitHub leak now public and researchers in agreement that containment is no longer possible, the only meaningful protection left is a software update that millions have not yet installed.