DarkSword iOS Exploit Kit Leverages 6 Flaws Including 3 Zero-Days to Steal Data from iPhones in 4 Countries

A sophisticated new iOS exploit kit, codenamed DarkSword, has been actively deployed against Apple iPhones in at least four countries since November 2025, enabling threat actors to execute rapid, near-silent data theft from devices running iOS versions between 18.4 and 18.7. Analyzed by Google’s Threat Intelligence Group (GTIG), iVerify, and mobile security firm Lookout, DarkSword represents the second major iOS exploit kit discovered within a month—following the emergence of the Coruna exploit chain—and underscores a troubling trend: the commercialization of high-grade iOS vulnerabilities that can be weaponized by state-backed groups, mercenary hackers, and financially motivated cybercriminals alike.

What Is DarkSword? A Complete iOS Exploit Chain with Rapid Data Theft Capabilities

DarkSword is a full-chain exploit kit designed to deliver a JavaScript-based infostealer, referred to as GHOSTBLADE, that executes a ‘hit-and-run’ attack on targeted iPhones. Once activated via a malicious iFrame embedded in a compromised website, the exploit chain bypasses Safari’s WebContent sandbox, leverages WebGPU to pivot into system-level processes, and escalates privileges to access and exfiltrate sensitive data—including emails, messages, location history, cryptocurrency wallet data, and credentials—within seconds. Unlike persistent spyware like Pegasus, DarkSword is engineered for speed and minimal footprint: after data collection, it cleans traces and exits the device, reducing detection risk and operational exposure.

How DarkSword Works: The Technical Exploit Chain and Delivery Mechanism

The attack begins when a user visits a compromised website—often a legitimate site that has been injected with a malicious iFrame—via Apple’s Safari browser. The embedded JavaScript fingerprints the device to confirm it is running a vulnerable iOS version (18.4–18.7), then triggers a multi-stage exploit chain that sequentially abuses six documented vulnerabilities, three of which were zero-days prior to patching by Apple. According to GTIG, the exploit sequence follows a precise order: a JavaScriptCore vulnerability (CVE-2025-31277 or CVE-2025-43529) enables remote code execution (RCE), which is then chained with a Pointer Authentication Code (PAC) bypass (CVE-2026-20700) to escape the browser sandbox.

From there, the exploit pivots into the GPU process using two separate sandbox escape flaws (CVE-2025-14174 and CVE-2025-43510), then moves into the mediaplaybackd daemon—a system service introduced by Apple to handle media playback—via kernel-level memory management vulnerabilities (CVE-2025-43510 and CVE-2025-43520). Final privilege escalation is achieved through kernel read/write capabilities, allowing the injected JavaScript payload to enumerate files, extract application data, and exfiltrate the stolen information over HTTPS to an external command-and-control server. The entire process, from initial infection to data exfiltration, typically completes in under two minutes, minimizing user interaction and forensic traces.

The Six Vulnerabilities Behind DarkSword: From Memory Corruption to Kernel Takeover

• CVE-2025-31277 – Memory corruption flaw in JavaScriptCore, patched in iOS 18.6.
• CVE-2026-20700 – User-mode Pointer Authentication Code (PAC) bypass in dyld, patched in iOS 26.3.
• CVE-2025-43529 – Memory corruption in JavaScriptCore, patched in iOS 18.7.3 and 26.2.
• CVE-2025-14174 – Memory corruption in ANGLE, patched in iOS 18.7.3 and 26.2.
• CVE-2025-43510 – Memory management flaw in the iOS kernel, patched in iOS 18.7.2 and 26.1.
• CVE-2025-43520 – Memory corruption in the iOS kernel, patched in iOS 18.7.2 and 26.1.

Of these, three were exploited as zero-days prior to Apple’s patches: CVE-2026-20700 (PAC bypass), CVE-2025-43529 (JavaScriptCore), and CVE-2025-14174 (ANGLE). The discovery that DarkSword was ported from older iOS versions (17.4.1 and 17.5.1) indicates that the kit was reverse-engineered and adapted for newer targets, a sign of mature development and modular design.

Who Is Behind DarkSword? Threat Actors and Geopolitical Motivations

Multiple threat actors have been linked to the deployment of DarkSword, revealing a fragmented but coordinated ecosystem of actors leveraging the same high-grade exploit for divergent goals. The most prominent is UNC6353, a suspected Russian state-aligned group that has used DarkSword in watering hole attacks targeting Ukrainian users since at least November 2025. UNC6353 is also known to have used the Coruna exploit chain, which targets older iOS versions (13.0–17.2.1), primarily in espionage operations. Analysts at Lookout suggest that UNC6353 may function as a ‘privateer’ group—officially unacknowledged but aligned with Russian intelligence objectives—given its access to advanced iOS exploit chains and preference for targeting Ukrainian digital infrastructure.

Beyond UNC6353, two additional threat actors have utilized DarkSword for financially motivated and surveillance-driven campaigns. UNC6748 targeted Saudi Arabian users in November 2025 via a Snapchat-themed phishing site (snapshare[.]chat), delivering a variant called GHOSTKNIFE—a JavaScript backdoor designed to harvest device and account data. Meanwhile, PARS Defense, a Turkish commercial surveillance vendor, deployed a similar payload named GHOSTSABER to compromise users in Turkey, enabling remote file enumeration, data exfiltration, and arbitrary JavaScript execution. These diverse deployments highlight the growing commodification of iOS exploits, where even non-state actors can purchase or obtain sophisticated attack tools.

The use of both DarkSword and Coruna by a variety of actors demonstrates the ongoing risk of exploit proliferation across actors of varying geography and motivation. This trend reflects a mature, second-hand market for iOS vulnerabilities that lowers technical barriers to high-impact attacks.

Why DarkSword Is a Turning Point in Mobile Threat Intelligence

The emergence of DarkSword within weeks of Coruna signals a new phase in mobile cyber threats: the rapid commercialization of iOS zero-day and near-zero-day exploits. Unlike traditional APT groups that develop bespoke tools in-house, DarkSword and Coruna are being re-used across multiple campaigns, suggesting a supply chain where exploit developers—possibly private vendors—sell or license their tools to diverse buyers. This ‘exploit-as-a-service’ model reduces costs and skill requirements, enabling financially motivated criminals, mercenary hackers, and even less sophisticated state actors to conduct high-impact iOS attacks.

The Role of Commercial Surveillance Vendors in Expanding Threat Landscape

Commercial surveillance vendors like PARS Defense play a pivotal role in this ecosystem by acting as intermediaries between exploit developers and end-users. These companies often market their services under the guise of ‘legitimate’ cybersecurity tools but are frequently implicated in human rights abuses and targeted surveillance. The use of DarkSword by such vendors underscores how commercial spyware has evolved from niche espionage tools into scalable platforms that can be deployed against broad user bases with minimal technical expertise.

Operation Security Failures and the Limits of Stealth

Despite its technical sophistication, DarkSword’s operational security (OPSEC) appears weak. Analysts at Lookout noted the lack of code obfuscation in the JavaScript payloads and the use of plainly named components like ‘DarkSword File Receiver.’ This suggests that the operators may prioritize rapid deployment and reuse over operational discipline, or that they lack access to advanced evasion techniques. Such lapses have proven critical in enabling detection: both DarkSword and Coruna were uncovered due to visible infrastructure flaws, not through advanced forensic analysis.

Global Impact: Which Countries and Users Are at Risk?

As of December 2025, confirmed DarkSword campaigns have targeted iPhone users in Saudi Arabia, Turkey, Malaysia, and Ukraine, with evidence of broader scanning activity across iOS 18.x devices. Google’s analysis indicates that the exploit chain was initially configured for iOS 18.4–18.6 but was later expanded to include iOS 18.7 in campaigns attributed to UNC6748 and PARS Defense. While the number of affected users remains unclear, both DarkSword and Coruna combined likely impact hundreds of millions of devices running unpatched versions of iOS from 13.0 through 18.7—representing a significant portion of the global iPhone user base, particularly in regions where Apple devices dominate the market.

Key Takeaways: What Apple Users and Security Experts Need to Know

• DarkSword is a rapidly deployed iOS exploit kit that can compromise iPhones within minutes via malicious websites, stealing sensitive data including credentials, messages, and cryptocurrency wallet information.
• The kit abuses six vulnerabilities, including three zero-days (CVE-2026-20700, CVE-2025-43529, CVE-2025-14174), all of which have been patched by Apple in recent iOS updates.
• Multiple threat actors—including suspected Russian group UNC6353, Saudi-focused UNC6748, and Turkish vendor PARS Defense—have used DarkSword for espionage, surveillance, and financial theft.
• Unlike persistent spyware, DarkSword is designed for ‘hit-and-run’ attacks, minimizing dwell time and forensic traces to avoid detection.
• The proliferation of DarkSword and Coruna highlights a growing black market for iOS exploits, enabling less sophisticated actors to launch high-impact attacks on mobile devices.

How Apple Has Responded and What Users Should Do

Apple addressed all six vulnerabilities in recent iOS updates: version 18.7.3 for iOS 18.x and 26.2 for iOS 26.x. Users should immediately update their devices to the latest iOS version to mitigate risk. Given the rapid evolution of exploit kits and the reuse of older vulnerabilities in new attacks, security experts recommend enabling automatic updates, avoiding suspicious websites, and using trusted security apps to monitor for signs of compromise. Enterprises and high-risk individuals should also consider deploying mobile threat defense solutions that can detect anomalous behavior in real time.

The Future of iOS Exploits: Market Dynamics and Security Implications

The emergence of DarkSword and Coruna within a single month reflects a disturbing acceleration in the commodification of iOS vulnerabilities. Security researchers warn that the second-hand market for iOS exploits—once dominated by nation-state actors—is now accessible to a wider range of threat actors, including cybercriminals and commercial surveillance vendors. This shift raises critical questions about Apple’s ability to secure its ecosystem amid a rapidly evolving threat landscape, and whether the company’s patch cycles and vulnerability disclosure policies are sufficient to protect users between updates. Additionally, the use of watering hole attacks—where legitimate websites are compromised to deliver exploits—underscores the need for website owners, hosting providers, and domain registrars to strengthen supply chain security.

Conclusion: A Wake-Up Call for Mobile Security

DarkSword is more than just another iOS malware strain—it is a bellwether for the future of mobile threats. Its modular design, rapid deployment, and reuse across multiple campaigns signal a new era where sophisticated attack tools are no longer the exclusive domain of elite hacking groups. For Apple and its users, the lesson is clear: the era of assuming iOS is inherently secure is over. Vigilance, rapid patching, and layered defense are now essential to counter threats that evolve faster than traditional security models can adapt. As exploit kits like DarkSword become commodities, the responsibility to protect users must be shared across developers, security vendors, and end-users alike.