Google Threat Intelligence Group (GTIG) has uncovered a powerful iOS exploit chain called DarkSword, which leverages multiple zero-day vulnerabilities to fully compromise devices. Since November 2025, this chain has been adopted by commercial surveillance vendors and state-sponsored actors in campaigns targeting users in Saudi Arabia, Turkey, Malaysia, and Ukraine. DarkSword affects iOS versions 18.4 through 18.7 and deploys final-stage malware families like GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER. Below are key questions answered based on GTIG’s findings.
What is DarkSword?
DarkSword is an iOS full-chain exploit kit that uses six different vulnerabilities to compromise devices fully. First observed by GTIG in November 2025, it allows attackers to execute arbitrary code and deliver malicious payloads without user interaction. The exploit chain is named based on toolmarks found in recovered payloads. Unlike typical single-exploit attacks, DarkSword chains multiple zero-days—meaning previously unknown flaws—to bypass Apple’s security layers. It supports iOS versions 18.4 through 18.7 and has been linked to both commercial surveillance vendors and suspected state-sponsored threat actors. GTIG reported all six vulnerabilities to Apple, and they were patched with iOS 26.3, though many were fixed earlier.
Which vulnerabilities does DarkSword use?
DarkSword leverages six distinct zero-day vulnerabilities to infect devices. While GTIG’s public report does not name all CVEs, it confirms that the chain exploits weaknesses in iOS components like WebKit, the kernel, and other system frameworks. These flaws allow the exploit to execute code remotely, escalate privileges, and deploy persistent malware. The chain is designed to work silently, often triggered when a user visits a malicious website or interacts with a crafted link. Apple patched all vulnerabilities in iOS 26.3, but users of older iOS versions (prior to 18.7) remain exposed if they do not update to the latest release. GTIG recommends enabling Lockdown Mode for devices that cannot update.
Who is using DarkSword?
Multiple threat actors have adopted DarkSword since November 2025. GTIG observed commercial surveillance vendors and state-sponsored groups using it in distinct campaigns. One notable example is UNC6353, a suspected Russian espionage group previously known for using the Coruna iOS exploit kit; they now incorporate DarkSword into their watering hole attacks. Another cluster, UNC6748, targeted Saudi Arabian users via a Snapchat-themed website. GTIG assesses that other commercial surveillance vendors or threat actors may also be using the exploit chain, indicating wide proliferation. Targets have been identified in Saudi Arabia, Turkey, Malaysia, and Ukraine, suggesting a diverse set of geopolitical objectives.
Which regions are targeted by DarkSword campaigns?
DarkSword campaigns have been observed targeting users in Saudi Arabia, Turkey, Malaysia, and Ukraine. In Saudi Arabia, the UNC6748 threat cluster used a fake Snapchat website (snapshare[.]chat) to lure victims. Ukraine and Turkey were targeted by other actors, possibly linked to state-sponsored espionage. Malaysia was also a focus, though specific campaign details are less public. The geographic spread shows that DarkSword is not limited to a single region, and its adoption by multiple actors enables attacks on diverse targets—from journalists and activists to government officials. GTIG continues to monitor for new campaigns as the exploit chain spreads.
What malware families are delivered by DarkSword?
GTIG identified three distinct final-stage malware families deployed after a successful DarkSword compromise: GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER. These malware variants each serve different purposes. GHOSTBLADE is a modular implant capable of data exfiltration and remote control. GHOSTKNIFE focuses on credential theft and screen capture. GHOSTSABER provides persistent backdoor access for long-term surveillance. All three families are designed to operate covertly and evade detection. Their deployment depends on the threat actor’s intent—for example, commercial surveillance vendors might use GHOSTSABER for monitoring, while state actors might prefer GHOSTKNIFE for intelligence gathering.
How is DarkSword delivered to targets?
Delivery methods vary by threat actor. For example, UNC6748 used a Snapchat-themed website (snapshare[.]chat) to target Saudi Arabian users. The site contained obfuscated JavaScript that created a hidden IFrame to load a malicious delivery stage. It also set a session storage key (uid) to prevent re-infection. Other actors likely use watering hole attacks, phishing emails, or compromised ad networks. The exploit chain activates when the victim visits the compromised page, exploiting the iOS zero-days without any user interaction. Some campaigns also use social engineering to increase click rates. GTIG has added domains involved in DarkSword to Google Safe Browsing to block future access.
How can users protect themselves from DarkSword?
To defend against DarkSword, users should update their iPhones to the latest iOS version—iOS 26.3 or later—as it patches all six vulnerabilities. For devices that cannot be updated, enabling Lockdown Mode provides enhanced security by limiting attack surfaces. Additionally, avoid clicking suspicious links or visiting untrusted websites, especially those mimicking popular apps like Snapchat. Organizations should implement mobile threat detection solutions and monitor for indicators of compromise (IOCs) shared by GTIG. Google Safe Browsing now blocks domains used in DarkSword campaigns. Regular security updates and cautious browsing remain the most effective defenses against such exploit chains.