DarkSword iOS Exploit Targets iPhone Users Worldwide

DarkSword iOS Exploit Targets iPhone Users Worldwide

Posted on By CWS

DarkSword iOS Exploit Unveiled

A sophisticated iOS exploit kit known as DarkSword has been actively used by various commercial surveillance entities and state-backed threat groups since November 2025. This exploit aims to extract sensitive personal information from iPhone users across several countries.

DarkSword utilizes a complex chain of six vulnerabilities, including four previously unknown zero-days, compromising iPhones operating on iOS versions 18.4 to 18.7.

Mechanism of the Exploit

The DarkSword exploit operates fully via JavaScript, allowing hackers to bypass Apple’s security measures such as the Page Protection Layer and Secure Page Table Monitor. This method permits the execution of unauthorized code.

Organizations like GTIG, iVerify, and Lookout have analyzed the exploit’s toolmarks, confirming its deployment in targeted attacks in Saudi Arabia, Turkey, Malaysia, and Ukraine.

Details of the Exploit Chain

The six-vulnerability chain starts with a remote code execution exploit affecting JavaScriptCore, Apple’s JavaScript engine in Safari and WebKit. It then proceeds through two sandbox escapes and a privilege escalation to execute a payload that grants hackers complete control over the device.

Among these vulnerabilities, CVE-2026-20700 involves a PAC bypass in Apple’s dynamic linker dyld, which wasn’t patched until iOS 26.3 after being reported by GTIG.

Post-Exploitation Malware Families

Following a successful DarkSword attack, three distinct malware families have been identified: GHOSTKNIFE, GHOSTSABER, and GHOSTBLADE. Each is designed for specific threat actor objectives.

GHOSTKNIFE, used by the threat group UNC6748 through a fake Snapchat site, serves as a JavaScript backdoor for extracting account information, messages, and other data. It uses encrypted communication to avoid detection.

GHOSTSABER, deployed by the Turkish firm PARS Defense, can execute over 15 commands, including data extraction and real-time geolocation, although some features require additional modules.

GHOSTBLADE, linked to Russian espionage actor UNC6353, focuses on comprehensive data mining, gathering extensive information without persistent operation. Its code hints at future capabilities with an unimplemented function named startSandworm().

UNC6748 used a disguised Snapchat site with obfuscated JavaScript loaders to deploy DarkSword, while PARS Defense enhanced security by encrypting exploit stages.

In conclusion, the DarkSword iOS exploit poses a significant threat to iPhone security, emphasizing the need for users to remain vigilant and for developers to address such vulnerabilities promptly.

Cyber Security News Tags:, , , , , , , , ,

Related Posts

Microsoft Teams to Allow Users Adding Agents and Bots With Their Current Conversation Microsoft Teams to Allow Users Adding Agents and Bots With Their Current Conversation Cyber Security News
IPFire Web-Based Firewall Interface Allows Authenticated Administrator to Inject Persistent JavaScript IPFire Web-Based Firewall Interface Allows Authenticated Administrator to Inject Persistent JavaScript Cyber Security News
PoC Exploit Released for Linux-PAM Vulnerability Allowing Root Privilege Escalation PoC Exploit Released for Linux-PAM Vulnerability Allowing Root Privilege Escalation Cyber Security News
Decoding Microsoft 365 Audit Log Events Using Bitfield Mapping Technique Decoding Microsoft 365 Audit Log Events Using Bitfield Mapping Technique Cyber Security News
Beware of Fake WinRAR Website That Delivers Malware with WinRAR Installer Beware of Fake WinRAR Website That Delivers Malware with WinRAR Installer Cyber Security News
Leak Zone Dark Web Forum Database Exposes 22 Million Users’ IP Addresses and Locations Leak Zone Dark Web Forum Database Exposes 22 Million Users’ IP Addresses and Locations Cyber Security News