DarkSword iOS Exploit Chain Used in Global Espionage Campaigns
Google researchers have identified a sophisticated iOS zero-day exploit chain named DarkSword, which has been used by state-sponsored actors and surveillance vendors to fully compromise devices since late 2025.
Google’s Threat Intelligence Group (GTIG) has uncovered a sophisticated iOS exploit chain dubbed "DarkSword," a collection of zero-day vulnerabilities capable of achieving a full compromise of Apple devices. The exploit chain, which is believed to be government-developed, has been actively utilized by both commercial surveillance vendors and state-sponsored threat actors since at least November 2025 Schneier on Security.
The DarkSword exploit chain is technically complex, leveraging a sequence of six distinct vulnerabilities to bypass iOS security protections and deploy final-stage payloads. The chain is compatible with iOS versions 18.4 through 18.7. Once the exploit successfully compromises a device, it facilitates the installation of one of three specific malware families: GHOSTBLADE, GHOSTKNIFE, or GHOSTSABER Schneier on Security.
The reach of DarkSword has been significant, with campaigns identified targeting individuals in Saudi Arabia, Turkey, Malaysia, and Ukraine. The exploit has been adopted by various actors, including the suspected Russian espionage group UNC6353, which has integrated DarkSword into its watering hole attack infrastructure. UNC6353 was previously linked to the use of the Coruna iOS exploit kit, suggesting a pattern of state-sponsored actors adopting advanced, multi-stage toolsets Schneier on Security.
The security landscape surrounding DarkSword shifted dramatically when the exploit chain leaked onto the public internet approximately one week after its initial discovery. This leak has led to a broader, more indiscriminate use of the tool beyond the initial targeted espionage campaigns. While the news of this exploit chain is now a month old, it serves as a critical reminder of the risks posed by high-end, zero-day-based surveillance tools Schneier on Security.
Apple users are advised that their devices remain protected provided they maintain a regular patching schedule. The availability of security updates for iOS is the primary defense against such exploit chains. Users should ensure their devices are updated to the latest available versions to mitigate the risk posed by these vulnerabilities Schneier on Security.
The emergence of DarkSword highlights a concerning trend in the cyber-espionage ecosystem, where sophisticated exploit chains are increasingly shared or repurposed across disparate threat actors. This mirrors the proliferation seen with the Coruna kit, indicating that once these tools are developed, they often find their way into the hands of multiple groups, significantly expanding the threat surface for mobile users globally Schneier on Security.