Google Reveals DarkSword iOS Exploit Chain Used by Multiple State-Sponsored and Commercial Threat Actors
Key Takeaways
- ▸DarkSword exploit chain uses six zero-day vulnerabilities to fully compromise iOS devices running versions 18.4-18.7, supporting deployment of three distinct malware families
- ▸Multiple threat actors including suspected state-sponsored groups and commercial surveillance vendors have adopted DarkSword since November 2025, with confirmed campaigns targeting Saudi Arabia, Turkey, Malaysia, and Ukraine
- ▸Google has coordinated with Apple for patching (iOS 26.3) and industry partners Lookout and iVerify; users are urged to update immediately or enable Lockdown Mode as interim protection
Summary
Google Threat Intelligence Group (GTIG) has identified a sophisticated iOS full-chain exploit called DarkSword that leverages six zero-day vulnerabilities to fully compromise Apple devices running iOS 18.4 through 18.7. Since November 2025, the exploit has been adopted by multiple threat actors including suspected state-sponsored groups and commercial surveillance vendors targeting users in Saudi Arabia, Turkey, Malaysia, and Ukraine. The discovery mirrors the proliferation of the Coruna iOS exploit kit and includes three distinct malware families—GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER—deployed post-compromise.
Google has coordinated disclosure with Apple, and all vulnerabilities were patched with iOS 26.3 release. The research, published in collaboration with Lookout and iVerify, documents multiple campaigns including one by UNC6748 using a Snapchat-themed phishing website, and involvement by UNC6353, a suspected Russian espionage group. Google has added delivery domains to Safe Browsing and strongly recommends users update to the latest iOS version or enable Lockdown Mode for enhanced protection.
- The exploit's proliferation across disparate threat actors demonstrates increasing availability and commoditization of sophisticated iOS compromise capabilities in the threat landscape
Editorial Opinion
The DarkSword discovery underscores a critical vulnerability in iOS security infrastructure and the accelerating commoditization of sophisticated exploit chains. The fact that multiple unrelated threat actors—from state sponsors to commercial surveillance vendors—have rapidly adopted this single toolkit suggests either a troubling breach in exploit development or deliberate distribution channels that should alarm Apple and the broader security community. While Google's coordinated disclosure and patching response is commendable, the six-month window from November 2025 to full mitigation represents a significant gap during which millions of users remained at risk.
