Google Discovers DarkSword: Proliferating iOS Exploit Chain Used by Multiple State-Sponsored and Commercial Threat Actors
Key Takeaways
- ▸DarkSword is a sophisticated full-chain iOS exploit leveraging six zero-day vulnerabilities, supporting iOS 18.4-18.7, and capable of deploying multiple malware families for complete device compromise
- ▸Multiple distinct threat actors—including commercial surveillance vendors and suspected state-sponsored groups like UNC6353 and UNC6748—have adopted DarkSword since November 2025 for campaigns targeting victims in Saudi Arabia, Turkey, Malaysia, and Ukraine
- ▸All vulnerabilities have been patched in iOS 26.3; Google urges immediate device updates or activation of Lockdown Mode, and has added malicious domains to Safe Browsing protection
Summary
Google Threat Intelligence Group (GTIG) has identified DarkSword, a sophisticated iOS full-chain exploit leveraging six zero-day vulnerabilities to achieve complete device compromise. Since November 2025, the exploit chain has been adopted by multiple threat actors including suspected state-sponsored groups and commercial surveillance vendors, with campaigns targeting users in Saudi Arabia, Turkey, Malaysia, and Ukraine. DarkSword supports iOS versions 18.4 through 18.7 and deploys three distinct malware families—GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER—following successful compromises.
The proliferation of DarkSword mirrors the previously discovered Coruna iOS exploit kit, with notable threat actors like UNC6353 (a suspected Russian espionage group) incorporating the new exploit chain into their operations. UNC6748 has been observed using DarkSword in watering hole campaigns featuring Snapchat-themed websites to target Saudi Arabian users, while additional threat actors have deployed it across other regions. Google reported all vulnerabilities to Apple in late 2025, with patches released in iOS 26.3, though most vulnerabilities were patched earlier. The company has added DarkSword delivery domains to Safe Browsing and recommends users update to the latest iOS version or enable Lockdown Mode for enhanced protection.
Editorial Opinion
The discovery of DarkSword underscores the persistent sophistication of iOS exploits and the concerning trend of exploit chain sharing among disparate threat actors. This proliferation pattern—similar to the Coruna kit—suggests that once vulnerabilities are developed, they rapidly become commoditized tools across the threat landscape. Google's rapid disclosure and coordination with industry partners demonstrates effective security research practices, though the targeting of multiple geopolitical regions highlights how critical mobile device security remains for vulnerable populations.
