DarkSword: iPhone Exploit Kit Serves Spies & Thieves Alike

THREAT INTELLIGENCE MOBILE SECURITY CYBERSECURITY OPERATIONS VULNERABILITIES & THREATS NEWS DarkSword: iPhone Exploit Kit Serves Spies & Thieves Alike A sophisticated iOS exploit chain leverages multiple zero-day vulnerabilities and is targeting users in Saudi Arabia, Turkey, Malaysia, and Ukraine. Alexander Culafi,Senior News Writer,Dark Reading March 18, 2026 5 Min Read SOURCE: EUGENIUSZ DUDZIŃSKI VIA ALAMY STOCK PHOTO A new iOS exploit chain is being used by attackers around the globe, and it's built for espionage actors and financially motivated attackers alike. Google, iVerify, and Lookout this week published research concerning "DarkSword," an exploit chain targeting iPhones running iOS versions 18.4 through 18.7. Google's Threat Intelligence Group (GTIG) referred to it in a blog post as a "full-chain exploit that leveraged multiple zero-day vulnerabilities to fully compromise devices," and has been used by multiple commercial surveillance vendors and suspected state-sponsored threat actors to target users in Saudi Arabia, Turkey, Malaysia, and Ukraine since at least November 2025. GTIG said the exploit chain utilizes several vulnerabilities and, depending on the attack, three distinct malware families it tracks as Ghostblade, Ghostknife, and Ghostsaber. It follows two weeks behind the disclosure of a similar attack, dubbed "Coruna," in which a financially motivated criminal group leveraged tools developed by a spyware vendor to mass target iOS devices. Related:SideWinder Espionage Campaign Expands Across Southeast Asia The vulnerabilities include JavaScriptCore memory corruption flaws CVE-2025-31277 and CVE-2025-43529, dyld user-mode pointer authentication code bypass CVE-2026-20700, ANGLE memory corruption flaw CVE-2025-14174, iOS kernel memory management flaw CVE-2025-43510, and iOS kernel memory corruption bug CVE-2025-43520. At different stages, these vulnerabilities enable remote code execution (RCE), sandbox escape, and privilege escalation leading to payload delivery.  In a DarkSword attack, a vulnerable iPhone user visits a malicious website and, in one click, executes the complete chain to fully compromise a device, gain kernel privileges, and exfiltrate sensitive data from the victim's phone. It collects data quickly (within seconds to minutes) before removing itself from the target device. What's most unusual about DarkSword (and its predecessor two weeks ago) is that it isn't just for espionage actors. Lookout's blog post highlighted the fact that DarkSword's data theft capabilities also target cryptocurrency wallets. "This dual-use approach is an important insight into the threat actor's motives and indicates that they (or possibly a previous user of DarkSword who then passed it on to them) are operating with a motive of monetary gain," the post read. Loading... Pete Luban, field chief information security officer (CISO) at AttackIQ, tells Dark Reading that there is some precedence for this on the surface; once a sophisticated chain gets exposed somehow, it can be repurposed by those looking to get a payout. The more unusual part, Luban says, is that these dual-use cases are formally integrated into the process. Related:Less Lucrative Ransomware Market Makes Attackers Alter Methods "Defenders need to treat mobile zero-days like enterprise-grade intrusion paths, which includes validating controls continuously and not assuming an intrusion will stay inside the box it's labeled with," he says. "'Financial' and 'espionage' are convenient categories, but the same access and tooling can enable both outcomes in the same campaign." Multiple Sophisticated (and Less Sophisticated) Attackers Google covered one campaign from November 2025, where Saudi Arabian users were targeted by a phony website promising secure Snapchat messaging. Also in November, GTIG observed the DarkSword chain being used in Turkey, with activity being connected to Turkish surveillance vendor PARS Defense. Another PARS Defense customer used DarkSword against Malaysian users in January. One of the most interesting threat actors utilizing DarkSword is UNC6353, a suspected Russian espionage group that previously also used the similar Coruna exploit. This group launched watering hole attacks against Ukrainian users. Lookout's research noted that despite being an espionage actor, no attempts were made to obfuscate the exploit chain or implant code, and that an "analysis of patterns suggests that LLMs were used in the creation of at least some of the implant code."  Related:Hackers Target Cybersecurity Firm Outpost24 in 7-Stage Phish This could suggest limited sophistication on the part of this actor despite the probability of substantial funding or, as Lookout pointed out in its blog, "this code may have been added prior to the threat actor's acquisition of the tooling." And indeed, iVerify's blog post notes that in the case of Coruna and DarkSword, the tools were discovered due to significant operational security (OPSEC) failures and carelessness in deploying iOS offensive capabilities.  "These recent events prompt several key questions: How big and well equipped is the market for iOS zero-day and n-day exploits for iOS devices? How accessible are such powerful capabilities to financially motivated actors?" iVerify's post read. Rocky Cole, iVerify's co-founder and chief operating officer (COO), says this poor level of OPSEC is "unprecedented in the 2020s." "Sometimes you see nation-states use poor OPSEC when they are using low-value tools because they don't want to burn the fancy, highly secretive [command and control]," he says. "And OPSEC slows you down. So sometimes when they want to move quickly, they'll use lower value tools with lower levels of opsec. That could be what's happening here given these were largely n-days. And these observations aren't necessarily specific to the mobile spyware world, just in general." A Challenging Outlook for the Future of iOS Exploit Chains Although all vulnerabilities have been addressed by software updates — iPhone users should update to iOS 18.7.6 or iOS 26.3.1 — iVerify estimated that more than 200 million users may still be vulnerable. Users may also want to consider whether Lockdown Mode could be right for them. Matthias Frielingsdorf, co-founder and VP of research at iVerify, tells Dark Reading that DarkSword shows that even with automatic updates and the like, a large number of iOS users remain vulnerable.  "Many people are still not adhering to security hygiene best practices, including keeping devices updated with the latest OS," he says. "The share of users running legacy is large enough for threat actors to target and support a thriving secondary market for n-day exploits. We predicted this exact scenario for some time and unfortunately, it's coming to pass." About the Author Alexander Culafi Senior News Writer, Dark Reading Alex is an award-winning writer, journalist, and podcast host based in Boston. After cutting his teeth writing for independent gaming publications as a teenager, he graduated from Emerson College in 2016 with a Bachelor of Science in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report, and elsewhere. In his spare time, Alex hosts the weekly Nintendo podcast Talk Nintendo Podcast and works on personal writing projects, including two previously self-published science fiction novels. More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report Cybersecurity Forecast 2026 The ROI of AI in Security ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like THREAT INTELLIGENCE React2Shell Exploits Flood the Internet as Attacks Continue by Rob Wright DEC 12, 2025 THREAT INTELLIGENCE Chinese Gov't Fronts Trick the West to Obtain Cyber Tech by Nate Nelson, Contributing Writer OCT 06, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 THREAT INTELLIGENCE Trump Targets Krebs, Revokes SentinelOne Security Clearance by Kristina Beek, Associate Editor, Dark Reading APR 10, 2025 Editor's Choice CYBERSECURITY OPERATIONS Why Stryker's Outage Is a Disaster Recovery Wake-Up Call byJai Vijayan MAR 12, 2026 5 MIN READ CYBER RISK What Orgs Can Learn From Olympics, World Cup IR Plans byTara Seals MAR 12, 2026 THREAT INTELLIGENCE Commercial Spyware Opponents Fear US Policy Shifting byRob Wright MAR 12, 2026 9 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE