DarkSword iOS Exploit Targets iPhone Users Worldwide

DarkSword iOS Exploit Targets iPhone Users Worldwide

Posted on By CWS

DarkSword iOS Exploit Unveiled

A sophisticated iOS exploit kit known as DarkSword has been actively used by various commercial surveillance entities and state-backed threat groups since November 2025. This exploit aims to extract sensitive personal information from iPhone users across several countries.

DarkSword utilizes a complex chain of six vulnerabilities, including four previously unknown zero-days, compromising iPhones operating on iOS versions 18.4 to 18.7.

Mechanism of the Exploit

The DarkSword exploit operates fully via JavaScript, allowing hackers to bypass Apple’s security measures such as the Page Protection Layer and Secure Page Table Monitor. This method permits the execution of unauthorized code.

Organizations like GTIG, iVerify, and Lookout have analyzed the exploit’s toolmarks, confirming its deployment in targeted attacks in Saudi Arabia, Turkey, Malaysia, and Ukraine.

Details of the Exploit Chain

The six-vulnerability chain starts with a remote code execution exploit affecting JavaScriptCore, Apple’s JavaScript engine in Safari and WebKit. It then proceeds through two sandbox escapes and a privilege escalation to execute a payload that grants hackers complete control over the device.

Among these vulnerabilities, CVE-2026-20700 involves a PAC bypass in Apple’s dynamic linker dyld, which wasn’t patched until iOS 26.3 after being reported by GTIG.

Post-Exploitation Malware Families

Following a successful DarkSword attack, three distinct malware families have been identified: GHOSTKNIFE, GHOSTSABER, and GHOSTBLADE. Each is designed for specific threat actor objectives.

GHOSTKNIFE, used by the threat group UNC6748 through a fake Snapchat site, serves as a JavaScript backdoor for extracting account information, messages, and other data. It uses encrypted communication to avoid detection.

GHOSTSABER, deployed by the Turkish firm PARS Defense, can execute over 15 commands, including data extraction and real-time geolocation, although some features require additional modules.

GHOSTBLADE, linked to Russian espionage actor UNC6353, focuses on comprehensive data mining, gathering extensive information without persistent operation. Its code hints at future capabilities with an unimplemented function named startSandworm().

UNC6748 used a disguised Snapchat site with obfuscated JavaScript loaders to deploy DarkSword, while PARS Defense enhanced security by encrypting exploit stages.

In conclusion, the DarkSword iOS exploit poses a significant threat to iPhone security, emphasizing the need for users to remain vigilant and for developers to address such vulnerabilities promptly.

Cyber Security News Tags:, , , , , , , , ,

Related Posts

Microsoft Eliminated High-Privilege Access to Enhance Microsoft 365 Security Microsoft Eliminated High-Privilege Access to Enhance Microsoft 365 Security Cyber Security News
Open Source CyberSOCEval Sets New Standards for AI in Malware Analysis and Threat Intelligence Open Source CyberSOCEval Sets New Standards for AI in Malware Analysis and Threat Intelligence Cyber Security News
Critical Vulnerability in MCP Server Platform Exposes 3,000 Servers and Thousands of API Keys Critical Vulnerability in MCP Server Platform Exposes 3,000 Servers and Thousands of API Keys Cyber Security News
Google Down For Most Of The Users In Turkey And Eastern Europe Google Down For Most Of The Users In Turkey And Eastern Europe Cyber Security News
Windows 11 Notepad to Get AI Support for Free to Generate and Summarize Text Windows 11 Notepad to Get AI Support for Free to Generate and Summarize Text Cyber Security News
Threat Actors Claim Breach Of Huawei Technologies Source Code and Internal Tools Threat Actors Claim Breach Of Huawei Technologies Source Code and Internal Tools Cyber Security News