DarkSword iOS Exploit Chain Now Used by Multiple Threat Actors in Global Cyberattacks
By
<h2>Urgent: DarkSword iOS Exploit Chain Spotted in Coordinated Attacks</h2><p><strong>Breaking</strong> — Google Threat Intelligence Group has uncovered a sophisticated iOS exploit chain, dubbed <em>DarkSword</em>, that has been actively deployed by at least three commercial surveillance vendors and suspected state-sponsored groups since November 2025. The campaign targets users in Saudi Arabia, Turkey, Malaysia, and Ukraine.</p><figure style="margin:20px 0"><img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/darksword-ios-exploit-chain-fig1a.max-1000x1000.jpg" alt="DarkSword iOS Exploit Chain Now Used by Multiple Threat Actors in Global Cyberattacks" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: www.mandiant.com</figcaption></figure><p>The exploit chain leverages <strong>six zero-day vulnerabilities</strong> affecting iOS versions 18.4 through 18.7. Apple has since patched all flaws with the release of iOS 26.3, but many users remain vulnerable if they have not updated.</p><h2>Expert Commentary</h2><p>“DarkSword represents a dangerous escalation in the commoditization of mobile exploit chains,” said a senior threat analyst at Google Threat Intelligence Group. “We are seeing the same tool being used by disparate actors, indicating it is likely being sold or traded among cyber mercenary groups.”</p><p>Another GTIG researcher added: “The proliferation mirrors what we saw with the <em>Coruna</em> iOS exploit kit. This is a troubling trend that lowers the barrier for entry into high-end mobile espionage.”</p><h2>How DarkSword Works</h2><p>After successful infection, victims are hit with one of three malware families: <strong>GHOSTBLADE</strong>, <strong>GHOSTKNIFE</strong>, or <strong>GHOSTSABER</strong>. These payloads enable full device compromise, including data theft and persistent access.</p><h2>Recent Campaigns</h2><h3>Snapchat-Themed Lure Targets Saudi Arabia (UNC6748)</h3><p>In November 2025, the threat actor <strong>UNC6748</strong> set up a fake Snapchat page at <em>snapshare[.]chat</em>. The site used obfuscated JavaScript to deliver the DarkSword chain to Saudi users.</p><p>The page created an IFrame that fetched a second-stage resource (frame.html). It also checked a session storage key to avoid re-infection, a technique likely used to evade detection.</p><h3>Russian Espionage Group UNC6353 Adopts DarkSword</h3><p>Suspected Russian state-sponsored group <strong>UNC6353</strong>, previously linked to Coruna, has now integrated DarkSword into its watering hole campaigns. Targets have been observed in Ukraine, Turkey, and Malaysia.</p><h2>Background</h2><p>DarkSword was first detected by GTIG in late 2025. The exploit chain uses six zero-day flaws, all reported to Apple and patched in iOS 26.3. The vulnerabilities were also addressed in earlier iOS updates for most versions. Google has added involved domains to Safe Browsing and urges immediate updates.</p><figure style="margin:20px 0"><img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/03_ThreatIntelligenceWebsiteBannerIdeas_BA.max-2600x2600.png" alt="DarkSword iOS Exploit Chain Now Used by Multiple Threat Actors in Global Cyberattacks" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: www.mandiant.com</figcaption></figure><p>The research was conducted in coordination with security firms <strong>Lookout</strong> and <strong>iVerify</strong>.</p><h2>What This Means</h2><p>The proliferation of DarkSword signals the emergence of a new exploit-as-a-service ecosystem for iOS. As more criminal and state actors gain access to such tools, the threat to high-value individuals — journalists, activists, executives — intensifies.</p><p>“This is no longer the domain of just a few advanced nations,” the GTIG analyst warned. “Commercial vendors are now enabling a wider range of threat actors to conduct targeted mobile espionage.”</p><h3>Protection Steps</h3><ul><li>Update to the latest iOS version (26.3 or later).</li><li>Enable <strong>Lockdown Mode</strong> if you cannot update.</li><li>Avoid clicking on suspicious links or visiting untrusted websites.</li></ul><p>For further details, see the <a href="#timeline">Discovery Timeline</a> or <a href="#technical-details">Technical Analysis</a>.</p><h2 id="timeline">Discovery Timeline</h2><p>GTIG observed DarkSword activity as early as November 2025. UNC6748 was the first identified user, followed by UNC6353 and other unnamed actors. The exploit chain was actively deployed for at least three months before patches were issued.</p><h2 id="technical-details">Technical Details of Exploit Chain</h2><p>DarkSword exploits six vulnerabilities, including memory corruption bugs and a kernel privilege escalation. Each flaw is chained together to achieve remote code execution without user interaction. The payloads are modular and can be customized by the operator.</p><p>Full technical analysis is available in the <a href="https://google.com/threatintel">Google Threat Intelligence report</a>.</p>
Tags: