DarkSword iOS Exploit Chain Targets iPhones Across Four Countries

Google’s Threat Intelligence Group confirmed a full-chain iOS exploit, DarkSword, has been actively compromising iPhones since at least November 2025. The exploit chain hits devices running iOS 18.4 through 18.7, deploying three distinct malware families capable of pulling cryptocurrency wallet data, iMessages, and device keychains.

According to WuBlockchain, on X, the GHOSTBLADE payload specifically targets cryptocurrency wallet data alongside login credentials and other sensitive device information.

Spyware Vendors and State Actors Both Running DarkSword

Google Threat Intelligence Group (GTIG) identified three threat clusters using the chain in separate campaigns. Targets span Saudi Arabia, Turkey, Malaysia, and Ukraine. The actors include UNC6748, Turkish commercial surveillance vendor PARS Defense, and UNC6353, a suspected Russian espionage group.

UNC6748 ran a Snapchat-themed decoy website, snapshare[.]chat, pushing the DarkSword iOS exploit against Saudi users starting November 2025. The site used obfuscated JavaScript and redirected victims to real Snapchat pages to hide the attack. PARS Defense took a cleaner operational approach, encrypting exploit stages using ECDH and AES between the server and target device.

UNC6353 is a different story. Previously tracked delivering the Coruna exploit kit, this Russian-linked group switched to DarkSword in December 2025. GTIG worked with CERT-UA to address UNC6353 watering hole attacks on compromised Ukrainian websites, where a hidden script pulled the DarkSword loader from an attacker server.

What GHOSTBLADE Pulls Off a Compromised iPhone

Three malware families follow a successful DarkSword iOS exploit infection. GHOSTKNIFE, written in JavaScript, grabs signed-in accounts, browser data, messages, location history, and supports live microphone recording. It communicates with its command-and-control server over a custom encrypted binary protocol.

GHOSTSABER, deployed by PARS Defense, collects device info, installed apps, photos thumbnails, and can run arbitrary JavaScript or SQL queries against on-device databases. Some of its commands, including audio recording and live geolocation, reference functions not yet coded into the implant, suggesting follow-on modules are downloaded at runtime.

Then there is GHOSTBLADE. Less persistent than the other two, it does not run continuously or support backdoor commands. But its collection list is wide. It pulls iMessage databases, Telegram and WhatsApp data, call logs, contacts, location history, saved WiFi passwords, iCloud Drive files, Notes, Calendar data, and specifically, cryptocurrency wallet data. Device keychains and SIM card information are also collected and sent to an attacker server over HTTP.

Six Vulnerabilities, One Chain

DarkSword chains six separate flaws to get from browser to full kernel control. Remote code execution starts with either CVE-2025-31277 or CVE-2025-43529, both memory corruption bugs in JavaScriptCore. A PAC bypass in dyld, CVE-2026-20700, follows to run arbitrary code outside the browser sandbox.

Two sandbox escapes then take the attack from Safari’s restricted WebContent process into the GPU process, then into mediaplaybackd, a system service with broader device access. A final kernel race condition, CVE-2025-43520, builds read and write primitives at the physical memory level. Full kernel privileges. Device fully owned.

All six vulnerabilities are patched as of iOS 26.3, with most patched in earlier incremental updates. GTIG reported each flaw to Apple in late 2025. Devices still running iOS 18.4 through 18.7 without updates remain exposed.

Google urged all users to update to the latest iOS immediately. Where an update is not possible, Lockdown Mode is recommended as a protective measure against the DarkSword iOS exploit and similar full-chain attacks.