DarkSword iOS Exploit Chain Adopted by Multiple Threat Actors, Targets Saudi Arabia, Turkey, Malaysia, and Ukraine
Mandiant reports that DarkSword, an iOS exploit chain using six zero-day vulnerabilities, is being deployed by multiple threat actors in targeted campaigns.
Google Threat Intelligence Group (GTIG) has identified a new iOS full-chain exploit called DarkSword that leverages multiple zero-day vulnerabilities to fully compromise devices. Since at least November 2025, GTIG has observed multiple commercial surveillance vendors and suspected state-sponsored actors utilizing DarkSword in distinct campaigns against targets in Saudi Arabia, Turkey, Malaysia, and Ukraine. The exploit chain supports iOS versions 18.4 through 18.7 and uses six different vulnerabilities to deploy final-stage payloads including GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER.
DarkSword was first observed in early November 2025 when the threat cluster UNC6748 leveraged a Snapchat-themed website, snapshare[.]chat, to target Saudi Arabian users. The landing page included JavaScript code that created an IFrame to fetch the next delivery stage, with anti-debugging and obfuscation techniques added over time. The infection process redirected victims to a legitimate Snapchat website to mask the activity. UNC6748 used exploits primarily leveraging CVE-2025-31277, a memory corruption vulnerability in JavaScriptCore, and CVE-2026-20700, a Pointer Authentication Codes (PAC) bypass in dyld, along with additional exploits for iOS 18.6 and 18.7.
GTIG identified three distinct malware families deployed following a successful DarkSword compromise: GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER. The proliferation of this single exploit chain across disparate threat actors mirrors the previously discovered Coruna iOS exploit kit. Notably, UNC6353, a suspected Russian espionage group previously observed using Coruna, has recently incorporated DarkSword into their watering hole campaigns. This suggests the exploit chain is likely sold or shared in underground markets, expanding access to previously unavailable capabilities against iOS targets.
GTIG reported the vulnerabilities used in DarkSword to Apple in late 2025, and all vulnerabilities were patched with the release of iOS 26.3, although most were patched prior. The researchers have added domains involved in DarkSword delivery to Safe Browsing and strongly urge users to update their devices to the latest version of iOS. In instances where an update is not possible, it is recommended that Lockdown Mode be enabled for enhanced security. This research was published in coordination with industry partners at Lookout and iVerify.
The discovery of DarkSword highlights the growing sophistication of iOS exploit chains and the increasing commercialization of zero-day capabilities. As threat actors continue to adopt and adapt these exploit kits, organizations with Apple device fleets should prioritize patching and monitor for unknown zero-days. The involvement of multiple threat actors, including state-sponsored groups, underscores the need for robust mobile security practices and timely updates to protect against targeted attacks.