Google Discovers DarkSword iOS Exploit Chain Used by Multiple State-Sponsored and Commercial Threat Actors

Summary

Google's Threat Intelligence Group (GTIG) has identified DarkSword, a sophisticated iOS full-chain exploit leveraging six zero-day vulnerabilities to fully compromise devices running iOS 18.4 through 18.7. Since November 2025, GTIG has observed multiple commercial surveillance vendors and suspected state-sponsored actors, including the Russian espionage group UNC6353, deploying DarkSword in distinct campaigns targeting users in Saudi Arabia, Turkey, Malaysia, and Ukraine. The exploit chain deploys three distinct malware families: GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER.

Google reported all vulnerabilities to Apple in late 2025, with patches released in iOS 26.3 and earlier versions. The proliferation of DarkSword mirrors the previously discovered Coruna iOS exploit kit, demonstrating a troubling trend of shared exploit infrastructure among diverse threat actors. GTIG has added delivery domains to Safe Browsing and strongly recommends users update to the latest iOS version, with Lockdown Mode recommended for those unable to update immediately.

• The widespread adoption of DarkSword mirrors the Coruna exploit kit pattern, indicating a concerning trend of shared exploit infrastructure among disparate threat actors

Editorial Opinion

The discovery of DarkSword represents a critical threat to iOS security and highlights the ongoing sophistication of state-sponsored and commercial surveillance operations targeting high-risk individuals globally. The rapid adoption of this exploit chain across multiple threat actors underscores the need for immediate patching and raises important questions about zero-day vulnerability supply chains. This case reinforces that even well-resourced tech companies face significant challenges in maintaining security against determined, well-funded adversaries.