DarkSword Spyware Threat: Millions of iPhone Users Potentially Exposed in Unprecedented Zero-Day Attack

TL;DR

• BREAKING UPDATE (The GitHub Leak): The source code for a newer version of DarkSword has been leaked on GitHub. Because the exploit relies entirely on simple HTML and JavaScript, security researchers warn it works “out of the box,” allowing even low-skill criminals to deploy the spyware in minutes.
• The Threat: A highly sophisticated, full-chain iOS exploit dubbed “DarkSword” is actively compromising iPhones globally. Unlike traditional malware requiring a download, DarkSword triggers silently when a user simply visits a compromised website (a “drive-by” or “watering hole” attack).
• Vulnerability: The spyware specifically targets devices running iOS versions 18.4 through 18.7. Cybersecurity firms estimate that between 220 million and 270 million iPhones globally are still running these vulnerable versions.
• The Payload: Once deployed, DarkSword installs data-stealers like “Ghostblade” that silently exfiltrate Wi-Fi passwords, SMS messages, WhatsApp chats, location history, and crucially, cryptocurrency wallet data. It operates on a “hit-and-run” basis, extracting data in seconds and deleting its traces.
• The Actors: Discovered by Google Threat Intelligence Group (GTIG), Lookout, and iVerify, the exploit is being wielded by multiple groups. This includes suspected Russian state-sponsored actors (UNC6353) and commercial surveillance vendors (UNC6748, linked to Turkish firm PARS Defense).
• The Fix: Apple has patched the six underlying zero-day vulnerabilities in iOS 26.3 and issued Background Security Improvements (BSIs) for older devices. Users must update their iPhones immediately. High-risk users are urged to enable Apple’s “Lockdown Mode.”

Breaking UPDATE: The GitHub Leak

In a devastating blow to global mobile security, a newer version of the DarkSword toolkit was recently leaked and published on GitHub. This leak fundamentally changes the threat landscape.

Matthias Frielingsdorf, co-founder of the mobile security startup iVerify, issued a stark warning regarding the leak: “This is bad. They are way too easy to repurpose. I don’t think that can be contained anymore. So we need to expect criminals and others to start deploying this.”

Frielingsdorf noted that the newly leaked versions share the same infrastructure as the earlier, state-sponsored attacks, but the files uploaded to GitHub are stripped down and uncomplicated—consisting merely of HTML and JavaScript.

No Exploitation Expertise Required

The simplicity of the leaked code is its most dangerous attribute. Because the exploit relies entirely on web-based languages, anyone can copy and paste the code and host it on a server in a matter of minutes to hours. “The exploits will work out of the box,” Frielingsdorf confirmed. “There is no iOS expertise required.”

This assessment was corroborated by Google. Kimberly Samra, a spokesperson for Google, stated that the company’s researchers fully agree with iVerify’s analysis of the leaked files.

Furthermore, the viability of the leaked code has already been proven “in the wild.” A security hobbyist operating under the handle ‘matteyeux’ posted on X (formerly Twitter) that they successfully hacked an iPad mini running iOS 18 using the publicly circulating DarkSword sample, proving how trivial it is to weaponize the leaked code.

Original Story Below

The Illusion of Invulnerability

For over a decade, the Apple ecosystem has been heralded as the gold standard of consumer digital security. The walled garden approach, stringent App Store review processes, and robust hardware-level encryption have traditionally kept the average iPhone user safe from the malware epidemics that historically plagued other operating systems.

However, the discovery of the DarkSword iOS exploit chain has shattered that illusion for millions.

Uncovered in a joint investigation by Alphabet’s Google Threat Intelligence Group (GTIG), mobile security firm iVerify, and cybersecurity firm Lookout, DarkSword represents a terrifying evolution in mobile espionage. It is not merely a single bug; it is a masterclass in vulnerability chaining by leveraging six distinct zero-day flaws to achieve total device takeover without a single click or download from the victim.

What makes DarkSword particularly alarming is its proliferation. Historically, exploit chains of this sophistication, often costing millions of dollars to develop on the black market, were tightly guarded by elite, state-sponsored intelligence agencies. DarkSword, however, is being wielded simultaneously by Russian espionage clusters and commercial surveillance vendors, targeting everyday citizens, journalists, and government officials across Ukraine, Saudi Arabia, Turkey, and Malaysia.

With an estimated 220 to 270 million devices potentially vulnerable due to outdated software, DarkSword is not just a theoretical threat; it is an active, global digital crisis. This comprehensive report breaks down the technical architecture of DarkSword, the threat actors behind it, and the critical steps you must take to secure your digital life.

What is DarkSword?

DarkSword is a zero-click, full-chain exploit toolkit engineered specifically for Apple’s iOS. The name originates from a variable found hidden deep inside the malicious JavaScript implant code used to extract Wi-Fi credentials: const TAG = "DarkSword-WIFI-DUMP";.

Unlike rudimentary malware that tricks a user into downloading a malicious application, DarkSword operates entirely in the background via web browsers. It is deployed through “watering hole” attacks. Attackers compromise legitimate, high-traffic websites such as news outlets or government portals and embed a hidden, malicious script. When a vulnerable iPhone user navigates to that website, the script executes silently in the background, weaponizing the Safari rendering engine against the device itself.

The “Hit-and-Run” Methodology

Traditional spyware, such as NSO Group’s Pegasus, often establishes deep persistence on a device to monitor a target over months or years. DarkSword utilizes a radically different operational philosophy: the “hit-and-run.”

According to researchers at Lookout, DarkSword is designed to infiltrate, exfiltrate, and evaporate. It does not install traditional binary implants or establish long-term persistence mechanisms that might survive a device reboot. Instead, within seconds to minutes of a user visiting an infected webpage, the spyware hoovers up a massive dragnet of sensitive data, transmits it to an attacker-controlled server, and then abruptly terminates its processes, cleaning up its temporary files to evade forensic detection.

The Anatomy of an Attack: How the Exploit Chain Works

To understand the severity of DarkSword, one must understand the gauntlet of security protocols it manages to bypass. Apple’s iOS relies on a concept called “sandboxing,” where apps (including the Safari browser) are isolated from the core operating system and each other.

DarkSword successfully breaks out of the sandbox using a highly orchestrated chain of six vulnerabilities, executing completely in JavaScript without relying on traditional compiled binaries.

Phase 1: The Initial Infection Vector (Watering Holes)

The attack begins when a user visits a compromised website. In the Ukrainian campaigns, attackers compromised official .gov.ua domains and local news outlets. In Saudi Arabia, attackers utilized a spoofed Snapchat website (snapshare[.]chat).

These sites contain a hidden HTML iframe that loads a malicious script from a seemingly innocuous content delivery network (e.g., static[.]cdncounter[.]net/widgets.js). This script acts as a reconnaissance tool, fingerprinting the device to check the exact iOS version. If the device is running iOS 18.4 through 18.7, the script fetches the primary Remote Code Execution (RCE) loader.

Phase 2: Remote Code Execution (RCE)

The loader deploys the first zero-day exploits. Google and iVerify identified that DarkSword leverages memory corruption vulnerabilities in JavaScriptCore (the JavaScript engine powering WebKit and Safari), specifically tracking them as CVE-2025-31277 and CVE-2025-43529.

By feeding maliciously crafted JavaScript to the engine, the attackers corrupt the browser’s memory. To ensure this code actually runs, DarkSword employs a sophisticated bypass for Apple’s Pointer Authentication Codes (PAC) – a hardware-level security feature designed to prevent exactly this kind of memory tampering (tracked as CVE-2026-20700).

Phase 3: The Sandbox Escape

At this point, the attackers have code running on the iPhone, but it is trapped inside the Safari “WebContent” sandbox. To steal data across the device, they must break out.

DarkSword accomplishes this via a two-step pivot:

1. Pivoting to the GPU: Using an out-of-bounds write vulnerability in ANGLE (CVE-2025-14174), the exploit breaks out of the web sandbox and injects itself into the device’s GPU (Graphics Processing Unit) process.
2. Pivoting to Media Services: From the GPU, the exploit targets a system daemon called mediaplaybackd (responsible for handling media on iOS).

Phase 4: Kernel Privilege Escalation

Now residing in a higher-privileged system daemon, the exploit executes the final strike. It leverages a copy-on-write bug (CVE-2025-43510) to gain arbitrary memory read/write capabilities within the XNU Kernel i.e. the absolute core of the Apple operating system. A final bug (CVE-2025-43520) grants the attackers full, unfettered kernel-level privilege escalation.

The device is now entirely compromised.

The Payloads: Ghostblade, Ghostknife, and Ghostsaber

Once kernel privileges are achieved, DarkSword deploys one of three distinct malware families identified by GTIG: GHOSTBLADE, GHOSTKNIFE, or GHOSTSABER. The specific payload deployed depends entirely on which threat actor is orchestrating the attack.

While distinct in their codebases, all three payloads serve the same master: catastrophic data exfiltration.

What the Malware Steals

The payloads execute a blanket sweep of the iPhone’s databases. Within seconds, the malware extracts:

• Communications: SMS text messages, iMessage histories, WhatsApp chats, Telegram logs, and emails.
• Network & Hardware Data: Wi-Fi configurations, plaintext Wi-Fi passwords, unique device identifiers, SIM card details, and cellular network data.
• Personal Life: Exact location root history, Apple Health databases, calendar entries, Notes, contacts, call logs, and photographs.
• Web Activity: Safari browsing history, saved passwords from the Keychain, and session cookies (which can be used to hijack logged-in accounts like Gmail or Facebook without needing the password).

The Financial Motive: Targeting Crypto Wallets

Perhaps the most unique and alarming aspect of DarkSword’s payloads, specifically Ghostblade is its aggressive targeting of cryptocurrency data.

While state-sponsored spyware usually focuses on espionage and intelligence gathering, Lookout researchers noted that DarkSword actively hunts for files associated with major cryptocurrency exchanges and decentralized wallets. The malware specifically queries the device for apps like Coinbase, Binance, Kraken, MetaMask, Ledger, Trezor, Phantom, and Uniswap.

By stealing wallet session tokens and seed phrases hidden in notes or photos, the attackers pivot from digital espionage to direct financial theft. This hybrid approach signals a terrifying merging of state-level cyber-warfare capabilities with cybercriminal financial motivations.

Who is Behind DarkSword? The Threat Actors

The proliferation of DarkSword across different hacking groups is highly unusual. Typically, a zero-day exploit chain of this caliber is a closely guarded secret. “The fact that they don’t care if it gets burned, and that they’re using them in mass attacks with poor operational security… says a lot about how much they value these tools,” stated Rocky Cole, co-founder and COO of iVerify.

Google Threat Intelligence Group has linked DarkSword to multiple distinct clusters of threat actors.

UNC6353: Russian State-Sponsored Espionage

In December 2025 and early 2026, DarkSword was heavily deployed against Ukrainian targets. Google tracks this threat cluster as UNC6353, a suspected Russian state-sponsored intelligence group.

UNC6353 is notorious for compromising legitimate Ukrainian infrastructure. Earlier in the same month, they were caught utilizing another iOS exploit chain known as “Coruna,” which targeted older iPhones (iOS 13 through 17). Researchers discovered that DarkSword and Coruna were actually hosted on the exact same internet servers, proving a direct pipeline of advanced exploits flowing into Russian state arsenals.

UNC6748: Commercial Surveillance (PARS Defense)

Simultaneously, Google observed DarkSword being utilized in Saudi Arabia, Turkey, and Malaysia by a cluster tracked as UNC6748.

This group is a commercial surveillance vendor essentially a “cyber-mercenary” firm that develops and sells hacking tools to governments and law enforcement agencies globally. GTIG linked the operations in Turkey and Malaysia directly to PARS Defense, a Turkish commercial surveillance firm.

The fact that a Russian intelligence unit and a Turkish commercial spyware vendor are simultaneously utilizing the exact same zero-day exploit chain suggests a thriving, highly lucrative dark market where vulnerabilities are brokered, sold, and repurposed across borders.

The Scale of the Threat: Are You Vulnerable?

When a vulnerability like this is disclosed, the immediate question is: How many people are actually at risk?

DarkSword specifically exploits devices running iOS versions 18.4 through 18.7. These versions were released by Apple between March and August 2025.

While Apple is generally praised for its high software adoption rates compared to Android, older devices and users who ignore update prompts create a massive attack surface. According to telemetry data analyzed by iVerify and Lookout, an estimated 14.2% to 18.99% of all active iPhones are currently running vulnerable iOS 18 software.

In raw numbers, this translates to a staggering 220 million to 270 million iPhones globally that can be silently compromised the moment their owner visits a rigged website.

As Steve Cobb, Chief Information Security Officer, noted, mobile devices are now the primary entry point for corporate data. “Once attackers gain access to credentials or corporate data on a device, they are no longer limited to that phone. They can move into SaaS platforms, cloud environments, and partner systems.”

Apple’s Response and Mitigation Strategies

Apple has officially acknowledged the severity of the exploits utilized by DarkSword. In a statement to the press, an Apple spokesperson reiterated the company’s core security philosophy: “Keeping software up to date remains the single most important thing users can do to maintain the high security of their Apple devices.”

iOS 26.3 and Background Security Improvements (BSIs)

Apple has fully patched all six zero-day vulnerabilities associated with the DarkSword exploit chain. The definitive fixes are bundled into iOS 26.3 (and subsequent updates).

Furthermore, recognizing that millions of older devices (like the iPhone X or earlier models) cannot physically run the iOS 26 architecture, Apple made the rare decision to issue out-of-band security patches specifically for legacy devices stuck on iOS 18.

In a landmark shift for mobile security, Apple also deployed its first-ever Background Security Improvements (BSIs) this year. BSIs allow Apple to push critical vulnerability fixes directly to the underlying Safari WebKit engine without requiring the user to download a massive, full-scale operating system update.

Safe Browsing Integration

To stop the bleeding immediately, Apple and Google collaborated to blacklist the malicious infrastructure. All domains identified as hosting the DarkSword payloads have been added to Google’s Safe Browsing blocklist, which Apple utilizes natively within the Safari browser to block users from loading known malicious sites.

How to Protect Yourself: An Actionable Guide

The sophistication of DarkSword means that standard antivirus apps are virtually useless against it. Protection requires strict adherence to digital hygiene and leveraging built-in OS-level security features.

Step 1: Update Your iPhone Immediately (The Non-Negotiable Step)

If your iPhone is running any version of iOS 18 between 18.4 and 18.7, you are in the crosshairs.

1. Open the Settings app.
2. Tap General, then Software Update.
3. If an update is available (specifically iOS 26.3 or newer, or a legacy security patch for iOS 18), tap Download and Install.
4. Enable Automatic Updates: Ensure that “Download iOS Updates” and “Install iOS Updates” are toggled ON.

Step 2: Enable Apple’s Lockdown Mode (For High-Risk Users)

If you are a journalist, activist, politician, corporate executive, or reside in a targeted geopolitical region (like Ukraine or the Middle East), you should enable Lockdown Mode.

Lockdown Mode is an extreme, optional protection designed specifically to thwart mercenary spyware like Pegasus and DarkSword. It severely restricts device functionality to reduce the attack surface, for instance, it disables complex web rendering technologies like JavaScript Just-In-Time (JIT) compilation in Safari, which entirely neutralizes the DarkSword exploit chain.

To enable Lockdown Mode:

1. Open Settings.
2. Scroll down and tap Privacy & Security.
3. Scroll to the very bottom and tap Lockdown Mode.
4. Tap Turn On Lockdown Mode, read the restrictions, and confirm. Your device will restart.

Step 3: Secure Your Crypto Assets

Because Ghostblade actively hunts for cryptocurrency wallets:

• Never store seed phrases or wallet passwords in your Apple Notes or Photos app.
• Move high-value cryptocurrency holdings off your mobile device entirely and into cold storage hardware wallets (like a physical Ledger or Trezor device).
• Use dedicated, secure password managers (like 1Password or Bitwarden) rather than storing credentials in plain text.

Step 4: Beware of Phishing and Spoofed Sites

DarkSword relies on users visiting compromised websites. Exercise extreme caution when clicking links received via SMS (smishing), WhatsApp, or social media. In the Saudi Arabian campaign, attackers successfully lured users by spoofing Snapchat. Always verify the URL in the Safari address bar.

The Future of Mobile Espionage

The discovery of DarkSword, arriving just weeks after the disclosure of the Coruna exploit kit, signals a paradigm shift in the cybersecurity landscape.

We are witnessing the democratization of zero-day exploits. The tools that were once the exclusive domain of global superpowers are now trickling down into a thriving secondary market, accessible to commercial vendors, cyber-mercenaries, and financially motivated criminals.

The “hit-and-run” nature of DarkSword, stealing data in seconds and vanishing without a trace means that traditional forensic analysis is becoming increasingly difficult. Many users whose devices were compromised by DarkSword will likely never know they were breached.

As our smartphones become the centralized vaults for our digital identities, corporate secrets, and financial assets, the stakes have never been higher. Apple and Google are engaged in a perpetual game of cat-and-mouse against some of the most well-funded threat actors on the planet. For the end-user, complacency is no longer an option. Updating your software is no longer just about getting new emojis; it is a critical act of digital self-defense.

Frequently Asked Questions (FAQs)

Q: Can I tell if my iPhone was infected by DarkSword?

A: It is highly unlikely that an average user can detect a DarkSword infection. Because it is a “hit-and-run” exploit that executes in memory and cleans up its temporary files, it leaves almost no persistent footprint. If you suspect you were targeted (due to your profession or location), contact digital security organizations like Access Now for forensic assistance.

Q: Does DarkSword affect Android phones?

A: No. DarkSword is an exploit chain built entirely around vulnerabilities specific to Apple’s iOS ecosystem, specifically targeting Safari’s WebKit, JavaScriptCore, and the XNU kernel.

Q: Will restarting my iPhone remove the spyware?

A: Technically, yes. Because DarkSword relies on memory corruption and does not install persistent binaries, a reboot will clear the active exploit from memory. However, the damage is already done. The spyware extracts and exfiltrates your data within seconds of the initial infection.

Q: I have an older iPhone that can’t update to iOS 26. Am I doomed?

A: Not necessarily. Apple frequently releases out-of-band security updates for older operating systems when critical zero-days are discovered. Check your software update settings; Apple has released patches for legacy iOS 18 devices specifically to mitigate this threat.

Q: If I use Google Chrome instead of Safari on my iPhone, am I safe?

A: No. Apple mandates that all third-party web browsers on iOS (including Chrome, Firefox, and Edge) use Apple’s underlying WebKit rendering engine. Therefore, Chrome on iOS is just as vulnerable to DarkSword as Safari.

Q: What is a “Watering Hole” attack?

A: A watering hole attack is a strategy where hackers identify a website frequently visited by their intended targets (e.g., a popular news site or a government portal). The hackers compromise that website and embed malicious code. When the target visits the site, their device is automatically attacked.

Q: Can antivirus apps protect me from DarkSword?

A: Traditional mobile antivirus apps are severely restricted by Apple’s sandboxing rules and cannot scan the kernel for zero-day exploits. While they can block known malicious URLs, they cannot stop the underlying exploit chain once it begins executing. Keeping your iOS updated is your primary defense.