DarkSword Exploit Chain: A Deep Dive into the iOS Attack Toolkit Used by Multiple Threat Actors

In late 2025, Google Threat Intelligence Group (GTIG) uncovered a sophisticated iOS full-chain exploit chain dubbed DarkSword, which used six zero-day vulnerabilities to fully compromise devices running iOS 18.4 through 18.7. This exploit chain has been adopted by multiple commercial surveillance vendors and suspected state-sponsored actors, targeting users in Saudi Arabia, Turkey, Malaysia, and Ukraine. Below, we answer key questions about DarkSword's discovery, operation, and mitigation.

What is the DarkSword exploit chain and how does it work?

DarkSword is a full-chain iOS exploit that leverages six zero-day vulnerabilities to achieve remote compromise of target devices without user interaction. It supports iOS versions 18.4 through 18.7 and deploys final-stage malware payloads. GTIG identified three distinct malware families delivered after successful exploitation: GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER. The exploit chain is delivered through various vectors, including malicious websites and watering hole attacks. Researchers discovered DarkSword through toolmarks in recovered payloads. The vulnerabilities were responsibly disclosed to Apple, which patched them in iOS 26.3 (most were fixed earlier).

Which iOS versions and vulnerabilities does DarkSword exploit?

DarkSword targets iOS versions 18.4 through 18.7, utilizing six distinct zero-day vulnerabilities that together form a full exploit chain. The exact CVE identifiers were not disclosed in the original report, but Google Threat Intelligence Group reported them to Apple in late 2025. All six vulnerabilities were patched with the release of iOS 26.3, though many received earlier fixes. The exploit chain is designed to bypass multiple layers of iOS security, including the kernel, WebKit, and other system components. Users running iOS 18.4 to 18.7 who have not updated to iOS 26.3 or later remain at risk.

Who is using DarkSword and what are their targets?

Multiple threat actors have adopted DarkSword since November 2025. These include UNC6748, a threat cluster that used a Snapchat-themed website (snapshare[.]chat) to target Saudi Arabian users. Another group, UNC6353, a suspected Russian espionage team previously linked to the Coruna iOS exploit kit, has incorporated DarkSword into its watering hole campaigns. Additional targets have been observed in Turkey, Malaysia, and Ukraine. GTIG assesses that other commercial surveillance vendors and state-sponsored actors may also be using DarkSword, though not all have been publicly identified.

What malware families are deployed after a DarkSword compromise?

Three distinct malware families have been linked to DarkSword compromises: GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER. GHOSTBLADE is typically used for initial access and persistence, GHOSTKNIFE for data exfiltration and surveillance, and GHOSTSABER for advanced persistence and anti-forensics. Each family is modular and can be updated by the threat actors. The payloads are delivered after the exploit chain successfully compromises the device, allowing attackers to remotely control the target's iOS device.

How does DarkSword compare to the earlier Coruna iOS exploit kit?

The proliferation of DarkSword across disparate threat actors mirrors the earlier distribution of the Coruna iOS exploit kit. Both are full-chain exploit tools that were adopted by multiple commercial surveillance vendors and state-sponsored groups. Notably, UNC6353 — a suspected Russian espionage group previously associated with Coruna — has now integrated DarkSword into its watering hole campaigns. This suggests that DarkSword may be a more advanced or readily available exploit chain that has replaced Coruna in some operations. However, DarkSword targets a different range of iOS versions (18.4–18.7) and uses a distinct set of six vulnerabilities.

What was the discovery timeline and patch status for DarkSword vulnerabilities?

Google Threat Intelligence Group first observed DarkSword activity in November 2025, when UNC6748 began targeting Saudi Arabian users. GTIG reported the six vulnerabilities to Apple in late 2025. Apple released iOS 26.3, patching all six; most were patched even earlier in interim updates. The timeline shows that exploitation and disclosure happened relatively quickly. GTIG also added domains involved in DarkSword delivery to Safe Browsing. The research was published in coordination with Lookout and iVerify.

What steps should iOS users take to protect against DarkSword and similar threats?

iOS users should update to the latest version of iOS (26.3 or later) to ensure all DarkSword vulnerabilities are patched. For devices that cannot update, enabling Lockdown Mode provides an extra layer of security against such sophisticated exploit chains. Additionally, users should avoid clicking on suspicious links or visiting untrusted websites, especially those mimicking popular services like Snapchat. Organizations should monitor for watering hole attacks and use endpoint detection tools. Google has added malicious domains to Safe Browsing, so using Chrome or other browsers with Safe Browsing can help block delivery attempts.