DarkSword iOS Exploit Unveiled
A sophisticated iOS exploit kit known as DarkSword has been actively used by various commercial surveillance entities and state-backed threat groups since November 2025. This exploit aims to extract sensitive personal information from iPhone users across several countries.
DarkSword utilizes a complex chain of six vulnerabilities, including four previously unknown zero-days, compromising iPhones operating on iOS versions 18.4 to 18.7.
Mechanism of the Exploit
The DarkSword exploit operates fully via JavaScript, allowing hackers to bypass Apple’s security measures such as the Page Protection Layer and Secure Page Table Monitor. This method permits the execution of unauthorized code.
Organizations like GTIG, iVerify, and Lookout have analyzed the exploit’s toolmarks, confirming its deployment in targeted attacks in Saudi Arabia, Turkey, Malaysia, and Ukraine.
Details of the Exploit Chain
The six-vulnerability chain starts with a remote code execution exploit affecting JavaScriptCore, Apple’s JavaScript engine in Safari and WebKit. It then proceeds through two sandbox escapes and a privilege escalation to execute a payload that grants hackers complete control over the device.
Among these vulnerabilities, CVE-2026-20700 involves a PAC bypass in Apple’s dynamic linker dyld, which wasn’t patched until iOS 26.3 after being reported by GTIG.
Post-Exploitation Malware Families
Following a successful DarkSword attack, three distinct malware families have been identified: GHOSTKNIFE, GHOSTSABER, and GHOSTBLADE. Each is designed for specific threat actor objectives.
GHOSTKNIFE, used by the threat group UNC6748 through a fake Snapchat site, serves as a JavaScript backdoor for extracting account information, messages, and other data. It uses encrypted communication to avoid detection.
GHOSTSABER, deployed by the Turkish firm PARS Defense, can execute over 15 commands, including data extraction and real-time geolocation, although some features require additional modules.
GHOSTBLADE, linked to Russian espionage actor UNC6353, focuses on comprehensive data mining, gathering extensive information without persistent operation. Its code hints at future capabilities with an unimplemented function named startSandworm().
UNC6748 used a disguised Snapchat site with obfuscated JavaScript loaders to deploy DarkSword, while PARS Defense enhanced security by encrypting exploit stages.
In conclusion, the DarkSword iOS exploit poses a significant threat to iPhone security, emphasizing the need for users to remain vigilant and for developers to address such vulnerabilities promptly.
