New iOS DarkSword Exploit Chain Targets iPhones Across Four Countries

Saudi Arabian iPhone users visiting what appeared to be a Snapchat messaging site in November 2025 had their devices fully compromised in minutes — crypto wallets drained, messages copied, location history exfiltrated — without tapping a single link. The site, snapshare.chat, was a lure operated by a threat group Google tracks as UNC6748, and the weapon was a then-unknown iOS exploit kit that researchers have since named DarkSword.

DarkSword is a full-chain iOS exploit that leverages multiple zero-day vulnerabilities to fully compromise iOS devices. Google's Threat Intelligence Group (GTIG) identified the kit from toolmarks in recovered payloads and has observed multiple commercial surveillance vendors and suspected state-sponsored actors utilizing it in distinct campaigns targeting Saudi Arabia, Turkey, Malaysia, and Ukraine since at least November 2025.

The exploit chain makes use of six different vulnerabilities to deploy three payloads, of which CVE-2026-20700, CVE-2025-43529, and CVE-2025-14174 were exploited as zero-days prior to being patched by Apple: CVE-2025-31277, a memory corruption vulnerability in JavaScriptCore patched in iOS 18.6; CVE-2026-20700, a user-mode Pointer Authentication Code bypass in dyld patched in iOS 26.3; CVE-2025-43529, a JavaScriptCore memory corruption flaw patched in iOS 18.7.3 and 26.2; CVE-2025-14174, a memory corruption vulnerability in ANGLE patched in iOS 18.7.3 and 26.2; CVE-2025-43510, a kernel memory management vulnerability patched in iOS 18.7.2 and 26.1; and CVE-2025-43520, a kernel memory corruption bug also patched in iOS 18.7.2 and 26.1.

The attack chain weaponizes JavaScriptCore JIT vulnerabilities in Safari's renderer process to achieve remote code execution, then escapes the sandbox via the GPU process by exploiting two additional flaws. "DarkSword uses two separate sandbox escape vulnerabilities, first by pivoting out of the WebContent sandbox into the GPU process, and then by pivoting from the GPU process to mediaplaybackd," GTIG explained. In the final stage, a kernel privilege escalation flaw, CVE-2025-43520, is leveraged to obtain arbitrary read/write and arbitrary function call capabilities inside mediaplaybackd, and ultimately execute the injected JavaScript code.

What makes DarkSword particularly dangerous is that the attack is delivered via manipulated websites: the victim simply has to open a compromised webpage in Safari, with no clicking, no download, and no confirmation required. DarkSword wipes temporary files and exits after stealing data from infected devices, indicating it was designed for short-term surveillance operations engineered to evade detection.

Three distinct threat actors have been linked to observed deployments. UNC6748 targeted Saudi Arabian users in November 2025 using a Snapchat-themed website that leveraged the exploit chain to deliver GHOSTKNIFE, a JavaScript backdoor capable of information theft. In late November 2025, GTIG observed activity associated with Turkish commercial surveillance vendor PARS Defense deploying DarkSword in Turkey against iOS 18.4 through 18.7 devices, this time with obfuscation applied to the exploit loader and ECDH and AES encryption used to protect exploits in transit between server and victim. In January 2026, GTIG observed a separate PARS Defense customer deploying the kit against users in Malaysia.

GTIG also observed the suspected Russian espionage actor UNC6353 leveraging DarkSword in a new watering hole campaign targeting Ukrainian users. GTIG first began tracking UNC6353 in summer 2025 as a threat cluster conducting watering hole attacks on Ukrainian websites to deliver the Coruna exploit kit. That new DarkSword activity, active through March 2026 but dating back to at least December 2025, was used to deploy GHOSTBLADE. GTIG notified and collaborated with CERT-UA to mitigate the activity.

Among the compromised Ukrainian sites identified by Lookout was novosti.dn.ua, belonging to the independent news agency News of Donbas, which covers the frontline situation in the Donbas region, and 7aac.gov.ua, the official website of the Seventh Administrative Court of Appeals located in Vinnytsia.

GTIG identified three distinct malware families deployed following a successful DarkSword compromise: GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER. GHOSTBLADE is a dataminer written in JavaScript that steals a wide range of data including crypto wallet information, system and connectivity details, browser history, photos, location data, communication content from iMessage, Telegram, WhatsApp, email, calls, and contacts. GHOSTKNIFE is a backdoor capable of exfiltrating signed-in accounts, messages, browser data, and location history recordings. GHOSTSABER is a JavaScript backdoor that can enumerate devices and accounts, list files, execute arbitrary JavaScript, and steal data.

Researchers noted a striking lack of operational security in UNC6353's implementation. As GTIG put it: "The complete lack of obfuscation in DarkSword code, the lack of obfuscation in the HTML for the iframes, and the fact that the DarkSword File Receiver is so simply designed and obviously named lead us to believe that UNC6353 may not have access to strong engineering resources or, alternatively, is not concerned with taking appropriate OPSEC measures." Lookout's research further noted that an "analysis of patterns suggests that LLMs were used in the creation of at least some of the implant code."

The discovery of DarkSword makes it the second iOS exploit kit, after Coruna, to be discovered within the span of a month. In March 2026, the chain and related exploit kit tooling was leaked publicly, making it available for use by a wider range of malicious actors.

CISA added three of the six DarkSword vulnerabilities, CVE-2025-31277, CVE-2025-43510, and CVE-2025-43520, to its catalog of actively exploited security flaws, ordering Federal Civilian Executive Branch agencies to secure their devices within two weeks by April 3, as mandated by Binding Operational Directive 22-01.

F5 Labs, which published a detailed bulletin on the threat, recommends that all corporate and BYOD iOS devices be updated immediately to at least iOS 26.3 or a fully patched equivalent. Devices that cannot reach iOS 26.3 should update to at least iOS 18.7.3, with both updates having been released in February 2026. If a device cannot be updated at all, enabling Lockdown Mode can mitigate the risk. F5 Labs also published a network blocklist of domains and IP addresses associated with DarkSword infrastructure: snapshare.chat, sahibndn.io, e5.malaymoil.com, static.cdncounter.net, sqwas.shapelie.com, and the IP addresses 62.72.21.10 and 72.60.98.48, for use in firewalls, DNS filters, and web proxies.

The discovery of DarkSword as a second iOS exploit chain in the hands of at least partially financially motivated threat actors reveals what Lookout called "a worrying trend": the apparent existence of a secondary market for technically sophisticated exploit chains in which sellers are willing to supply buyers with little or no concern for how the tools will be used.