BotBeat
...
← Back

> ▌

Google / AlphabetGoogle / Alphabet
RESEARCHGoogle / Alphabet2026-03-20

Google Threat Intelligence Exposes DarkSword iOS Exploit Chain Used by Multiple Threat Actors Globally

Key Takeaways

  • ▸DarkSword is a full-chain iOS exploit using six zero-day vulnerabilities affecting iOS 18.4-18.7, deployed by multiple threat actors including suspected state-sponsored groups
  • ▸The exploit chain has been used in targeted campaigns across Saudi Arabia, Turkey, Malaysia, and Ukraine since at least November 2025
  • ▸Google coordinated with Apple to patch vulnerabilities in iOS 26.3, and has added delivery domains to Safe Browsing; users are strongly urged to update or enable Lockdown Mode
Source:
Hacker Newshttps://cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain↗

Summary

Google Threat Intelligence Group (GTIG) has discovered DarkSword, a sophisticated iOS full-chain exploit leveraging six zero-day vulnerabilities that has been actively used by multiple commercial surveillance vendors and state-sponsored actors since November 2025. The exploit chain affects iOS versions 18.4 through 18.7 and has been observed targeting users in Saudi Arabia, Turkey, Malaysia, and Ukraine. Upon successful compromise, DarkSword deploys one of three malware families: GHOSTBLADE, GHOSTKNIFE, or GHOSTSABER.

The proliferation of DarkSword mirrors the earlier Coruna iOS exploit kit discovery, with notably UNC6353—a suspected Russian espionage group previously linked to Coruna—now incorporating DarkSword into their watering hole campaigns. GTIG identified at least one campaign by threat cluster UNC6748 that used a Snapchat-themed website to distribute the exploit to Saudi Arabian targets, complete with anti-debugging measures and Chrome-to-Safari redirection techniques.

Google reported all identified vulnerabilities to Apple in late 2025, with patches released in iOS 26.3 and earlier versions. The company has added malicious domains to Safe Browsing and urges users to update immediately, or enable Lockdown Mode if updates are not feasible. The research was published in coordination with industry partners Lookout and iVerify.

Editorial Opinion

The discovery of DarkSword underscores the ongoing sophistication of iOS-targeted attack infrastructure and the persistent threat posed by the commercialization of exploit chains across disparate threat actors. The rapid adoption of a single exploit kit by multiple surveillance vendors and state-sponsored groups demonstrates both the technical quality of the vulnerability chain and the concerning ecosystem that enables its distribution. While Apple's swift patching response is commendable, the six-month window of active exploitation highlights the importance of maintaining aggressive security postures and the limitations of patching as the sole defense mechanism.

CybersecurityRegulation & PolicyAI Safety & AlignmentPrivacy & Data

More from Google / Alphabet

Google / AlphabetGoogle / Alphabet
RESEARCH

Stanford Researchers Use Multi-Agent AI and Reinforcement Learning to Improve HIP Kernel Generation for AMD GPUs

2026-07-04
Google / AlphabetGoogle / Alphabet
PRODUCT LAUNCH

Google Research Launches TabFM, A Zero-Shot Foundation Model for Tabular Data

2026-07-04
Google / AlphabetGoogle / Alphabet
POLICY & REGULATION

Google Loses Appeal Against Record €4.1B EU Antitrust Fine

2026-07-03

Comments

Suggested

LLM Agent EcosystemLLM Agent Ecosystem
RESEARCH

Researchers Expose Critical Payload-Less Attack on LLM Agent Supply Chains

2026-07-04
OpenAIOpenAI
INDUSTRY REPORT

Investigation Uncovers AI-Generated Deepfakes in Lily Jay Foundation Charity Fraud

2026-07-04
AppleApple
RESEARCH

Researchers Discover Six Vulnerabilities in Apple AirDrop and Google/Samsung Quick Share Protocols

2026-07-04
← Back to news
© 2026 BotBeat
AboutPrivacy PolicyTerms of ServiceContact Us