BotBeat
...
← Back

> ▌

Google / AlphabetGoogle / Alphabet
RESEARCHGoogle / Alphabet2026-03-19

Google Discovers DarkSword iOS Exploit Chain Used by Multiple State-Sponsored and Commercial Threat Actors

Key Takeaways

  • ▸DarkSword is a full-chain iOS exploit utilizing six zero-day vulnerabilities affecting iOS 18.4-18.7, deployed by multiple state-sponsored and commercial surveillance vendors
  • ▸At least four distinct threat actors including Russian espionage group UNC6353 have adopted DarkSword for campaigns targeting users in Saudi Arabia, Turkey, Malaysia, and Ukraine
  • ▸All vulnerabilities have been patched by Apple in iOS 26.3; users should update immediately or enable Lockdown Mode as a protective measure
Source:
Hacker Newshttps://cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain↗

Summary

Google's Threat Intelligence Group (GTIG) has identified DarkSword, a sophisticated iOS full-chain exploit leveraging six zero-day vulnerabilities to fully compromise devices running iOS 18.4 through 18.7. Since November 2025, GTIG has observed multiple commercial surveillance vendors and suspected state-sponsored actors, including the Russian espionage group UNC6353, deploying DarkSword in distinct campaigns targeting users in Saudi Arabia, Turkey, Malaysia, and Ukraine. The exploit chain deploys three distinct malware families: GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER.

Google reported all vulnerabilities to Apple in late 2025, with patches released in iOS 26.3 and earlier versions. The proliferation of DarkSword mirrors the previously discovered Coruna iOS exploit kit, demonstrating a troubling trend of shared exploit infrastructure among diverse threat actors. GTIG has added delivery domains to Safe Browsing and strongly recommends users update to the latest iOS version, with Lockdown Mode recommended for those unable to update immediately.

  • The widespread adoption of DarkSword mirrors the Coruna exploit kit pattern, indicating a concerning trend of shared exploit infrastructure among disparate threat actors

Editorial Opinion

The discovery of DarkSword represents a critical threat to iOS security and highlights the ongoing sophistication of state-sponsored and commercial surveillance operations targeting high-risk individuals globally. The rapid adoption of this exploit chain across multiple threat actors underscores the need for immediate patching and raises important questions about zero-day vulnerability supply chains. This case reinforces that even well-resourced tech companies face significant challenges in maintaining security against determined, well-funded adversaries.

CybersecurityRegulation & PolicyAI Safety & Alignment

More from Google / Alphabet

Google / AlphabetGoogle / Alphabet
RESEARCH

Stanford Researchers Use Multi-Agent AI and Reinforcement Learning to Improve HIP Kernel Generation for AMD GPUs

2026-07-04
Google / AlphabetGoogle / Alphabet
PRODUCT LAUNCH

Google Research Launches TabFM, A Zero-Shot Foundation Model for Tabular Data

2026-07-04
Google / AlphabetGoogle / Alphabet
POLICY & REGULATION

Google Loses Appeal Against Record €4.1B EU Antitrust Fine

2026-07-03

Comments

Suggested

LLM Agent EcosystemLLM Agent Ecosystem
RESEARCH

Researchers Expose Critical Payload-Less Attack on LLM Agent Supply Chains

2026-07-04
OpenAIOpenAI
INDUSTRY REPORT

Investigation Uncovers AI-Generated Deepfakes in Lily Jay Foundation Charity Fraud

2026-07-04
AppleApple
RESEARCH

Researchers Discover Six Vulnerabilities in Apple AirDrop and Google/Samsung Quick Share Protocols

2026-07-04
← Back to news
© 2026 BotBeat
AboutPrivacy PolicyTerms of ServiceContact Us