DarkSword: the iOS exploit kit left in the open
This post covers a vulnerability that affects iOS 18.4 through 18.7. All six CVEs in the chain are patched in current iOS. If you haven’t updated, the fix is at the bottom of this post.
What’s New This Week
Researchers from Google GTIG, iVerify, and Lookout jointly published their analysis of DarkSword on March 18, 2026 – the same day this post went live. The Coruna toolkit, which shares infrastructure with DarkSword, was disclosed two weeks earlier and is also linked to UNC6353 (suspected Russian state-sponsored activity).
Changelog
| Date | Summary |
|---|---|
| 18 Mar 2026 | Initial publication following joint disclosure by Google GTIG, iVerify, and Lookout. |
On Tuesday, researchers from Google, iVerify, and Lookout jointly published their analysis of DarkSword – an iOS exploit kit that’s been active since at least November 2025, used by at least three separate threat actors, and found sitting unobscured on compromised Ukrainian websites with English comments explaining every component. If you’re running iOS 18.4 through 18.7, visiting the wrong website is enough. No phishing link. No app download. No interaction.
Roughly 25% of iPhones are still on iOS 18. That’s hundreds of millions of devices.
What DarkSword is
DarkSword is a six-CVE exploit chain targeting iOS 18.4 through 18.7. The chain delivers sandbox escape, privilege escalation, and remote code execution in sequence – the three primitives you need to go from “JavaScript on a webpage” to “full device access.”
The six CVEs: CVE-2025-31277, CVE-2025-43529, CVE-2026-20700, CVE-2025-14174, CVE-2025-43510, CVE-2025-43520. All patched by Apple in current iOS. Unpatched devices remain exposed.
Three malware families are deployed via the chain depending on the operator:
GHOSTBLADE is a JavaScript dataminer. It exfiltrates crypto wallet data, browser history, photos, location data, and message logs from iMessage, Telegram, and WhatsApp. Contacts and call records too.
GHOSTKNIFE is a backdoor. It focuses on signed-in accounts, messages, browser data, location history, and recordings.
GHOSTSABER is a JavaScript backdoor built for enumeration: device fingerprinting, file listing, arbitrary JavaScript execution, and data theft.
The full haul across deployments: passwords, photos, iMessage/WhatsApp/Telegram logs, browser history, Calendar, Notes, Apple Health data, and cryptocurrency wallet credentials. The kind of data that is either immediately monetisable or immediately useful for espionage. Sometimes both.
DarkSword uses a fileless technique – it doesn’t install persistent spyware, which makes post-infection detection significantly harder. The attack runs, collects, and exfiltrates without leaving a traditional footprint.
Why visiting a website is sufficient
The watering hole model doesn’t require any user action beyond navigation. An attacker compromises a legitimate site – a news outlet, a government agency page – and injects DarkSword’s exploit chain. Any iOS 18.4-18.7 device that loads the page triggers the chain automatically.
This is a fundamentally different threat model from phishing or malicious app installs. There’s no suspicious link to avoid, no permissions prompt to decline. The attack surface is “any unpatched iPhone that browses the web,” and the web is what iPhones do.
This is also why the watering hole vector is particularly effective against high-value targets. Ukrainian government workers and journalists visiting Ukrainian news sites are exactly the kind of targets UNC6353 wants. They don’t need to be tricked into anything. They just need to check the news.
For more on how supply chain and web injection attacks work as an entry vector, that post covers the mechanics from a different angle.
Three threat actors, one toolkit
DarkSword has been used by at least three distinct operators:
UNC6748 was the first observed user, running campaigns that targeted Saudi Arabian users via a fake Snapchat site. Classic phishing vector, DarkSword payload.
PARS Defense, a Turkish commercial surveillance vendor, ran campaigns targeting iOS 18.4-18.7 devices starting in late November 2025 – first in Turkey, then Malaysia. Commercial surveillance vendors selling to governments are a known and growing part of the mobile exploit ecosystem; DarkSword gave them a capable chain to work with.
UNC6353, assessed as a Russian espionage group, has been using the related Coruna toolkit since last summer. They added DarkSword in December 2025. Through March 2026 they’ve been targeting Ukrainian news outlets and at least one government agency site via watering hole attacks. This is consistent with broader Russian intelligence targeting patterns against Ukrainian civil infrastructure – see the Stryker/Handala context for related activity.
The pattern here is straightforward: one group builds a capable exploit chain, others adopt it for their own targeting. This is how the commercial and state exploit ecosystem works. DarkSword became more accessible than most because of what UNC6353 did next.
The OPSEC failure
When researchers found DarkSword on compromised Ukrainian websites, it was sitting there unobscured. Full source. English comments. Every component documented.
Matthias Frielingsdorf from iVerify: “Anyone who manually grabbed all the different parts of the exploit could put them onto their own web server and start infecting phones. It’s as simple as that. It’s all nicely documented, also. It’s really too easy.”
A state-sponsored espionage tool became a freely available exploit kit through operational carelessness. Whether this was deliberate – an attempt to create noise and attribution confusion – or a genuine failure to obfuscate before deployment, the result is the same. The barrier to reusing DarkSword dropped to near zero for anyone with a web server and a target list.
The combination of sophisticated capability and poor operational security is a recurring pattern in Russian state-linked cyber operations. The capability is real. The operational discipline sometimes isn’t.
AI-assisted malware development
Lookout’s analysis flags something worth taking seriously: both Coruna and DarkSword show signs of LLM-assisted codebase expansion. The specific tell is the code comments.
LLMs produce well-commented code by default. When you ask a coding assistant to implement a function, it writes the implementation and explains what each part does. That commenting style is distinctive, and it’s present throughout DarkSword. Lookout’s assessment: “This malware is highly sophisticated and appears to be a professionally designed platform enabling rapid development of modules through access to a high level programming language.”
The “rapid development of modules” framing matters. This isn’t just AI-generated code that happens to work – it’s AI-assisted development of a modular, maintainable exploit platform. The same productivity story that engineering teams tell about AI coding tools (“we ship faster, the codebase is more maintainable, onboarding new engineers is easier”) applies directly to threat actor development.
This is the threat version of the productivity argument. AI lowers the cost of building well-structured, extensible software. That applies equally to product teams and exploit developers.
There’s a direct parallel in the AI-assisted malware development pattern documented earlier this year. DarkSword is a concrete, high-capability example of the same trend. The modular architecture, the English comments, the rapid iteration across three malware families – this is what AI-assisted threat development looks like in production.
For enterprises thinking about this threat: the question isn’t whether threat actors are using AI coding tools. They clearly are. The question is whether your detection and response posture is keeping pace with the development velocity that implies.
What to do
Update to iOS 19. All six CVEs are patched. This is the complete mitigation. Everything else on this list is secondary.
If you manage a mobile device fleet: MDM policy enforcing the current major iOS version is the concrete control here. The question isn’t whether your fleet is exposed – it’s what percentage is on a patched major version and how quickly your policy closes that gap. Developer workstations as an attack surface is a related problem for engineering organisations specifically.
If you run a website: Audit for unauthorised third-party script injection. Watering hole attacks start with a compromised site. Content Security Policy headers, subresource integrity on external scripts, and regular audits of what JavaScript is loading on your pages are the relevant controls.
If you hold cryptocurrency on an iPhone not running current iOS: Move it to hardware wallet or cold storage now. GHOSTBLADE specifically targets crypto wallet data. The risk is asymmetric.
The patch exists. It has existed since Apple released current iOS. The threat actors who built and reused DarkSword were counting on the roughly 25% of iPhones that hadn’t applied it. That’s a large number of devices, and the sophistication of the chain – six CVEs, three malware families, LLM-assisted modular development – reflects how much investment went into targeting exactly that population.
Update your phone. Enforce updates on your fleet. The window closes when the patch is applied.