Google Threat Intelligence Exposes DarkSword iOS Exploit Chain Used by Multiple Threat Actors Globally
Key Takeaways
- ▸DarkSword is a full-chain iOS exploit using six zero-day vulnerabilities affecting iOS 18.4-18.7, deployed by multiple threat actors including suspected state-sponsored groups
- ▸The exploit chain has been used in targeted campaigns across Saudi Arabia, Turkey, Malaysia, and Ukraine since at least November 2025
- ▸Google coordinated with Apple to patch vulnerabilities in iOS 26.3, and has added delivery domains to Safe Browsing; users are strongly urged to update or enable Lockdown Mode
Summary
Google Threat Intelligence Group (GTIG) has discovered DarkSword, a sophisticated iOS full-chain exploit leveraging six zero-day vulnerabilities that has been actively used by multiple commercial surveillance vendors and state-sponsored actors since November 2025. The exploit chain affects iOS versions 18.4 through 18.7 and has been observed targeting users in Saudi Arabia, Turkey, Malaysia, and Ukraine. Upon successful compromise, DarkSword deploys one of three malware families: GHOSTBLADE, GHOSTKNIFE, or GHOSTSABER.
The proliferation of DarkSword mirrors the earlier Coruna iOS exploit kit discovery, with notably UNC6353—a suspected Russian espionage group previously linked to Coruna—now incorporating DarkSword into their watering hole campaigns. GTIG identified at least one campaign by threat cluster UNC6748 that used a Snapchat-themed website to distribute the exploit to Saudi Arabian targets, complete with anti-debugging measures and Chrome-to-Safari redirection techniques.
Google reported all identified vulnerabilities to Apple in late 2025, with patches released in iOS 26.3 and earlier versions. The company has added malicious domains to Safe Browsing and urges users to update immediately, or enable Lockdown Mode if updates are not feasible. The research was published in coordination with industry partners Lookout and iVerify.
Editorial Opinion
The discovery of DarkSword underscores the ongoing sophistication of iOS-targeted attack infrastructure and the persistent threat posed by the commercialization of exploit chains across disparate threat actors. The rapid adoption of a single exploit kit by multiple surveillance vendors and state-sponsored groups demonstrates both the technical quality of the vulnerability chain and the concerning ecosystem that enables its distribution. While Apple's swift patching response is commendable, the six-month window of active exploitation highlights the importance of maintaining aggressive security postures and the limitations of patching as the sole defense mechanism.
