DarkSword: The new "nightmare" for iOS users with a highly sophisticated exploit chain

Mar 20
3 min read

The mobile security landscape has recently been rocked by the exposure of an exploit toolkit named DarkSword. Discovered by experts from the Google Threat Intelligence Group (GTIG), iVerify, and Lookout, DarkSword is more than just typical malware. It is a complex attack chain combining six security vulnerabilities, including three previously unknown zero-days, designed to gain full control over a victim’s iPhone.

The emergence of DarkSword signals an alarming trend: nation-state grade attack tools are trickling down to cybercriminal groups with more limited resources, posing a widespread threat to hundreds of millions of users.

What is DarkSword and why is it so dangerous?

DarkSword is identified as a "full-chain exploit" toolkit specifically designed for the iOS operating system. According to reports, this toolkit has been deployed in real-world campaigns since at least November 2025. Its primary objective is to penetrate deep into the system to extract sensitive data rapidly and comprehensively.

DarkSword distinguishes itself with a "hit-and-run" strategy. Rather than attempting to maintain long-term presence on the device for surveillance-which is easily detected by security software-DarkSword follows a specific process:

Infiltrates the device via the browser.
Collects all critical information within seconds or minutes.
Automatically wipes its tracks and exits the system to avoid detection.

Notably, in addition to standard personal information, DarkSword places a heavy emphasis on cryptocurrency wallets, indicating a clear financial motive behind the campaign.

*DarkSword is described as focusing on cryptocurrency wallets - Image source: AI*

Threat actors and global targets

The danger of DarkSword lies not only in its technology but also in the scale of its utilization. Researchers have discovered the toolkit being used by multiple threat actors targeting countries such as Ukraine, Saudi Arabia, Turkey, and Malaysia.

The following key actors have been identified:

UNC6353: A threat group suspected of having links to Russian intelligence. This group used DarkSword to target users in Ukraine via compromised websites.
UNC6748: Focused on attacking users in Saudi Arabia in late 2025 by using spoofed social media websites (such as Snapchat).
PARS Defense: A commercial surveillance software provider in Turkey, found using DarkSword to distribute GHOSTSABER malware to enumerate and steal device data.

*Timeline of activities by various threat actors (UNC6353, UNC6748, PARS Defense) and target countries*

Interestingly, despite possessing "top-tier" tools, UNC6353 exhibited poor Operational Security (OPSEC), leaving elementary traces in the source code. This supports the hypothesis of a "black market" where high-end attack tools are resold to groups with lower technical proficiency.

Decoding the 6-Vulnerability chain that "compromises" iOS

The power of DarkSword stems from chaining six different vulnerabilities to break through Apple's robust security layers. Among these, three zero-days (CVE-2026-20700, CVE-2025-43529, CVE-2025-14174) were fully exploited before Apple could release patches.

The attack sequence follows a carefully choreographed scenario:

Initial access: Utilizes a flaw in JavaScriptCore (CVE-2025-31277 or CVE-2025-43529) to execute remote code as soon as a user visits a malicious website.
Authentication bypass: Leverages CVE-2026-20700 to bypass Pointer Authentication Code (PAC), a critical iOS security layer.
Sandbox escape: This is the most crucial step. DarkSword uses a GPU vulnerability (CVE-2025-14174) to escape the Safari isolation environment, gaining access to system processes such as mediaplaybackd.
Kernel privilege escalation: Finally, CVE-2025-43520 is exploited to gain the highest level of read/write access within the operating system Kernel, allowing attackers to perform any action on the device.

Kỹ thuật từng bước về cách chuỗi khai thác thực sự hoạt động — *Step-by-step technical breakdown of how the exploit chain actually operates*

Watering hole attacks and Consequences

DarkSword primarily utilizes the "Watering Hole" attack method. Attackers insert hidden frames (iFrames) containing malicious code into popular websites frequently visited by users. When a victim browses the web using Safari, the malware automatically checks the operating system version. If the device is running iOS versions 18.4 through 18.7, the exploit chain is triggered immediately without any user interaction.

Data stolen by the malicious payload (such as GHOSTBLADE) includes almost everything on the phone:

Messages (SMS, Telegram, WhatsApp).
iCloud Drive data, emails, contacts, and browsing history.
Usernames, passwords, and cryptocurrency wallet data.
Sensitive information from Notes and Health apps.

All this data is then packaged and sent to the attacker's server via HTTP(S) before the malware deletes itself from the device.

Lessons in Mobile Security

The emergence of DarkSword and its predecessor, Coruna, serves as a stark warning that no system is absolutely secure. The mass exploitation of zero-day vulnerabilities highlights the increasing sophistication of cybercriminal groups and the availability of high-end attack tools on the secondary market.

For iPhone users, maintaining vigilance is more important than ever. Experts recommend that users take the following steps immediately to protect themselves:

Update operating systems: Always update to the latest iOS version as soon as Apple releases a patch.
Be Cautious with unknown links: Avoid visiting websites of unknown origin or suspicious links sent via messages.
Use high-security modes: For high-risk users (journalists, politicians, financial experts), consider enabling Apple’s Lockdown Mode.