INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).

DarkSword Exploit Kit Targets iOS Devices

| 2026-03-19 09:14 CRITICAL MEDIUM
JSON
Executive Summary AI-generated
The DarkSword exploit kit, codenamed "DarkSword," has been used in distinct campaigns targeting Saudi Arabia, Turkey, Malaysia, and Ukraine. The kit is designed to target iPhones running iOS versions between 18.4 and 18.7 and is deployed by a suspected Russian espionage group named UNC6353. This threat actor operates with motives aligned with Russian intelligence requirements. Lookout has assessed that the group may be a Russia-backed privateer or criminal proxy threat actor, lacking strong engineering resources or proper OPSEC measures. The kit's capabilities include cryptocurrency theft and intelligence gathering, making it a sophisticated threat. DarkSword is also linked to other exploit kits, including Coruna and GHOSTSABER, which have been used in previous campaigns.
Technical Mitigations AI-generated
* Implement a secure boot mechanism to ensure that the iOS device boots with a trusted and validated kernel, preventing exploitation of vulnerabilities before they can be patched. * Regularly update and patch all software components, including operating systems, apps, and plugins, to prevent exploitation of known vulnerabilities. * Use a secure web browsing experience by disabling JavaScript and other potentially vulnerable features in Safari or Chrome, and instead use a secure browser like Tor Browser for sensitive activities. * Implement a robust anti-malware solution that includes real-time detection and removal of threats, including those related to the DarkSword exploit kit.
Technical Observables
AI Podcast (EN) detail_available
detail_listen_ai (EN)
Intelligence distributed on:
Incident Link
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
Campaign Expands AcrossCampaign Expands Across CVE-2025-14174CVE-2025-14174 CVE-2025-31277CVE-2025-31277 CVE-2025-43510CVE-2025-43510 CVE-2025-43520CVE-2025-43520 CVE-2026-20700CVE-2026-20700 CVE-2025-43529CVE-2025-43529
Target & Sectors
NORTH_AMERICA NORTH_AMERICA APAC APAC
Incident Timeline
‎November 2025
DarkSword iOS Exploit Kit uses six flaws, including CVE-2026-20700 and CVE-2025-43529.
tactic Exfiltration
Activity associated with Turkish commercial surveillance vendor PARS Defense that used DarkSword in November 2025 to deliver GHOSTSABER, a JavaScript backdoor that communicates with an external server to facilitate device and account enumeration, file listing, data exfiltration, and the execution of arbitrary JavaScript code.
tactic T1059.007 - JavaScript
Activity associated with Turkish commercial surveillance vendor PARS Defense that used DarkSword in November 2025 to deliver GHOSTSABER, a JavaScript backdoor that communicates with an external server to facilitate device and account enumeration, file listing, data exfiltration, and the execution of arbitrary JavaScript code.
" The use of DarkSword has also been linked to two other threat actors - UNC6748 , which targeted Saudi Arabian users in November 2025 using a Snapchat-themed website, snapshare[.]chat, that leveraged the exploit chain to deliver GHOSTKNIFE, a JavaScript backdoor capable of information theft.
organisation GHOSTSABER
Activity associated with Turkish commercial surveillance vendor PARS Defense that used DarkSword in November 2025 to deliver GHOSTSABER, a JavaScript backdoor that communicates with an external server to facilitate device and account enumeration, file listing, data exfiltration, and the execution of arbitrary JavaScript code.
organisation UNC6748
" The use of DarkSword has also been linked to two other threat actors - UNC6748 , which targeted Saudi Arabian users in November 2025 using a Snapchat-themed website, snapshare[.]chat, that leveraged the exploit chain to deliver GHOSTKNIFE, a JavaScript backdoor capable of information theft.
source_region Saudi Arabia
" The use of DarkSword has also been linked to two other threat actors - UNC6748 , which targeted Saudi Arabian users in November 2025 using a Snapchat-themed website, snapshare[.]chat, that leveraged the exploit chain to deliver GHOSTKNIFE, a JavaScript backdoor capable of information theft.
" Multiple Sophisticated (and Less Sophisticated) Attackers Google covered one campaign from November 2025, where Saudi Arabian users were targeted by a phony website promising secure Snapchat messaging.
organisation GHOSTKNIFE
" The use of DarkSword has also been linked to two other threat actors - UNC6748 , which targeted Saudi Arabian users in November 2025 using a Snapchat-themed website, snapshare[.]chat, that leveraged the exploit chain to deliver GHOSTKNIFE, a JavaScript backdoor capable of information theft.
organisation Multiple Sophisticated
" Multiple Sophisticated (and Less Sophisticated) Attackers Google covered one campaign from November 2025, where Saudi Arabian users were targeted by a phony website promising secure Snapchat messaging.
infrastructure Ios
The kit is designed to target iPhones running iOS versions between iOS 18.4 and 18.7, and is said to have been deployed by a suspected Russian espionage group named UNC6353 in attacks targeting Ukrainian users.
The discovery of DarkSword makes it the second iOS exploit kit, after Coruna , to be discovered within the span of a month.
The exploit chain linked to the newly discovered kit makes use of six different vulnerabilities to deploy three payloads, out of which CVE-2026-20700, CVE-2025-43529, and CVE-2025-14174 were exploited as zero-days, prior to them being patched by Apple: CVE-2025-31277 - Memory corruption vulnerability in JavaScriptCore (Patched in version 18.6) CVE-2026-20700 - User-mode Pointer Authentication Code (PAC) bypass in dyld (Patched in version 26.3) CVE-2025-43529 - Memory corruption vulnerability in JavaScriptCore (Patched in versions 18.7.3 and 26.2) CVE-2025-14174 - Memory corruption vulnerability in ANGLE (Patched in versions 18.7.3 and 26.2) CVE-2025-43510 - Memory management vulnerability in the iOS kernel (Patched in versions 18.7.2 and 26.1) CVE-2025-43520 - Memory corruption vulnerability in the iOS kernel (Patched in versions 18.7.2 and 26.1)
Lookout said it discovered DarkSword after an analysis of malicious infrastructure associated with UNC6353, identifying that one of the compromised domains hosted a malicious iFrame element that's responsible for loading a JavaScript to fingerprint devices visiting the site and determine whether the target needs to be routed to the iOS exploit chain.
What made this notable was that the JavaScript was specifically looking for iOS devices running versions between 18.4 and 18.6.2, unlike Coruna, which targeted older iOS versions from 13.0 through 17.2.1.
iVerify, in its own analysis of DarkSword, said the exploit chain weaponizes JavaScriptCore JIT vulnerabilities in the Safari renderer process (CVE-2025-31277 or CVE-2025-43529) based on the iOS version to achieve remote code execution via CVE-2026-20700, and then escape the sandbox via the GPU process by taking advantage of CVE-2025-14174 and CVE-2025-43510.
" Further analysis of the JavaScript files used in DarkSword has been found to contain references to iOS versions 17.4.1 and 17.5.1, indicating that the kit was ported from a previous version targeting older versions of the operating system.
This indicates that the hacking group is likely well-funded to secure high-quality iOS exploit chains that are likely developed for commercial surveillance.
infrastructure 18.4
The kit is designed to target iPhones running iOS versions between iOS 18.4 and 18.7, and is said to have been deployed by a suspected Russian espionage group named UNC6353 in attacks targeting Ukrainian users.
What made this notable was that the JavaScript was specifically looking for iOS devices running versions between 18.4 and 18.6.2, unlike Coruna, which targeted older iOS versions from 13.0 through 17.2.1.
infrastructure 18.7
The kit is designed to target iPhones running iOS versions between iOS 18.4 and 18.7, and is said to have been deployed by a suspected Russian espionage group named UNC6353 in attacks targeting Ukrainian users.
organisation iPhones
The kit is designed to target iPhones running iOS versions between iOS 18.4 and 18.7, and is said to have been deployed by a suspected Russian espionage group named UNC6353 in attacks targeting Ukrainian users.
organisation UNC6353
The kit is designed to target iPhones running iOS versions between iOS 18.4 and 18.7, and is said to have been deployed by a suspected Russian espionage group named UNC6353 in attacks targeting Ukrainian users.
organisation CVE-2025-43529
The exploit chain linked to the newly discovered kit makes use of six different vulnerabilities to deploy three payloads, out of which CVE-2026-20700, CVE-2025-43529, and CVE-2025-14174 were exploited as zero-days, prior to them being patched by Apple: CVE-2025-31277 - Memory corruption vulnerability in JavaScriptCore (Patched in version 18.6) CVE-2026-20700 - User-mode Pointer Authentication Code (PAC) bypass in dyld (Patched in version 26.3) CVE-2025-43529 - Memory corruption vulnerability in JavaScriptCore (Patched in versions 18.7.3 and 26.2) CVE-2025-14174 - Memory corruption vulnerability in ANGLE (Patched in versions 18.7.3 and 26.2) CVE-2025-43510 - Memory management vulnerability in the iOS kernel (Patched in versions 18.7.2 and 26.1) CVE-2025-43520 - Memory corruption vulnerability in the iOS kernel (Patched in versions 18.7.2 and 26.1)
organisation CVE-2025-14174
The exploit chain linked to the newly discovered kit makes use of six different vulnerabilities to deploy three payloads, out of which CVE-2026-20700, CVE-2025-43529, and CVE-2025-14174 were exploited as zero-days, prior to them being patched by Apple: CVE-2025-31277 - Memory corruption vulnerability in JavaScriptCore (Patched in version 18.6) CVE-2026-20700 - User-mode Pointer Authentication Code (PAC) bypass in dyld (Patched in version 26.3) CVE-2025-43529 - Memory corruption vulnerability in JavaScriptCore (Patched in versions 18.7.3 and 26.2) CVE-2025-14174 - Memory corruption vulnerability in ANGLE (Patched in versions 18.7.3 and 26.2) CVE-2025-43510 - Memory management vulnerability in the iOS kernel (Patched in versions 18.7.2 and 26.1) CVE-2025-43520 - Memory corruption vulnerability in the iOS kernel (Patched in versions 18.7.2 and 26.1)
infrastructure 18.6
The exploit chain linked to the newly discovered kit makes use of six different vulnerabilities to deploy three payloads, out of which CVE-2026-20700, CVE-2025-43529, and CVE-2025-14174 were exploited as zero-days, prior to them being patched by Apple: CVE-2025-31277 - Memory corruption vulnerability in JavaScriptCore (Patched in version 18.6) CVE-2026-20700 - User-mode Pointer Authentication Code (PAC) bypass in dyld (Patched in version 26.3) CVE-2025-43529 - Memory corruption vulnerability in JavaScriptCore (Patched in versions 18.7.3 and 26.2) CVE-2025-14174 - Memory corruption vulnerability in ANGLE (Patched in versions 18.7.3 and 26.2) CVE-2025-43510 - Memory management vulnerability in the iOS kernel (Patched in versions 18.7.2 and 26.1) CVE-2025-43520 - Memory corruption vulnerability in the iOS kernel (Patched in versions 18.7.2 and 26.1)
infrastructure 26.3
The exploit chain linked to the newly discovered kit makes use of six different vulnerabilities to deploy three payloads, out of which CVE-2026-20700, CVE-2025-43529, and CVE-2025-14174 were exploited as zero-days, prior to them being patched by Apple: CVE-2025-31277 - Memory corruption vulnerability in JavaScriptCore (Patched in version 18.6) CVE-2026-20700 - User-mode Pointer Authentication Code (PAC) bypass in dyld (Patched in version 26.3) CVE-2025-43529 - Memory corruption vulnerability in JavaScriptCore (Patched in versions 18.7.3 and 26.2) CVE-2025-14174 - Memory corruption vulnerability in ANGLE (Patched in versions 18.7.3 and 26.2) CVE-2025-43510 - Memory management vulnerability in the iOS kernel (Patched in versions 18.7.2 and 26.1) CVE-2025-43520 - Memory corruption vulnerability in the iOS kernel (Patched in versions 18.7.2 and 26.1)
infrastructure 18.7.3
The exploit chain linked to the newly discovered kit makes use of six different vulnerabilities to deploy three payloads, out of which CVE-2026-20700, CVE-2025-43529, and CVE-2025-14174 were exploited as zero-days, prior to them being patched by Apple: CVE-2025-31277 - Memory corruption vulnerability in JavaScriptCore (Patched in version 18.6) CVE-2026-20700 - User-mode Pointer Authentication Code (PAC) bypass in dyld (Patched in version 26.3) CVE-2025-43529 - Memory corruption vulnerability in JavaScriptCore (Patched in versions 18.7.3 and 26.2) CVE-2025-14174 - Memory corruption vulnerability in ANGLE (Patched in versions 18.7.3 and 26.2) CVE-2025-43510 - Memory management vulnerability in the iOS kernel (Patched in versions 18.7.2 and 26.1) CVE-2025-43520 - Memory corruption vulnerability in the iOS kernel (Patched in versions 18.7.2 and 26.1)
infrastructure 26.2
The exploit chain linked to the newly discovered kit makes use of six different vulnerabilities to deploy three payloads, out of which CVE-2026-20700, CVE-2025-43529, and CVE-2025-14174 were exploited as zero-days, prior to them being patched by Apple: CVE-2025-31277 - Memory corruption vulnerability in JavaScriptCore (Patched in version 18.6) CVE-2026-20700 - User-mode Pointer Authentication Code (PAC) bypass in dyld (Patched in version 26.3) CVE-2025-43529 - Memory corruption vulnerability in JavaScriptCore (Patched in versions 18.7.3 and 26.2) CVE-2025-14174 - Memory corruption vulnerability in ANGLE (Patched in versions 18.7.3 and 26.2) CVE-2025-43510 - Memory management vulnerability in the iOS kernel (Patched in versions 18.7.2 and 26.1) CVE-2025-43520 - Memory corruption vulnerability in the iOS kernel (Patched in versions 18.7.2 and 26.1)
infrastructure 18.7.2
The exploit chain linked to the newly discovered kit makes use of six different vulnerabilities to deploy three payloads, out of which CVE-2026-20700, CVE-2025-43529, and CVE-2025-14174 were exploited as zero-days, prior to them being patched by Apple: CVE-2025-31277 - Memory corruption vulnerability in JavaScriptCore (Patched in version 18.6) CVE-2026-20700 - User-mode Pointer Authentication Code (PAC) bypass in dyld (Patched in version 26.3) CVE-2025-43529 - Memory corruption vulnerability in JavaScriptCore (Patched in versions 18.7.3 and 26.2) CVE-2025-14174 - Memory corruption vulnerability in ANGLE (Patched in versions 18.7.3 and 26.2) CVE-2025-43510 - Memory management vulnerability in the iOS kernel (Patched in versions 18.7.2 and 26.1) CVE-2025-43520 - Memory corruption vulnerability in the iOS kernel (Patched in versions 18.7.2 and 26.1)
infrastructure 26.1
The exploit chain linked to the newly discovered kit makes use of six different vulnerabilities to deploy three payloads, out of which CVE-2026-20700, CVE-2025-43529, and CVE-2025-14174 were exploited as zero-days, prior to them being patched by Apple: CVE-2025-31277 - Memory corruption vulnerability in JavaScriptCore (Patched in version 18.6) CVE-2026-20700 - User-mode Pointer Authentication Code (PAC) bypass in dyld (Patched in version 26.3) CVE-2025-43529 - Memory corruption vulnerability in JavaScriptCore (Patched in versions 18.7.3 and 26.2) CVE-2025-14174 - Memory corruption vulnerability in ANGLE (Patched in versions 18.7.3 and 26.2) CVE-2025-43510 - Memory management vulnerability in the iOS kernel (Patched in versions 18.7.2 and 26.1) CVE-2025-43520 - Memory corruption vulnerability in the iOS kernel (Patched in versions 18.7.2 and 26.1)
organisation CVE-2025
The exploit chain linked to the newly discovered kit makes use of six different vulnerabilities to deploy three payloads, out of which CVE-2026-20700, CVE-2025-43529, and CVE-2025-14174 were exploited as zero-days, prior to them being patched by Apple: CVE-2025-31277 - Memory corruption vulnerability in JavaScriptCore (Patched in version 18.6) CVE-2026-20700 - User-mode Pointer Authentication Code (PAC) bypass in dyld (Patched in version 26.3) CVE-2025-43529 - Memory corruption vulnerability in JavaScriptCore (Patched in versions 18.7.3 and 26.2) CVE-2025-14174 - Memory corruption vulnerability in ANGLE (Patched in versions 18.7.3 and 26.2) CVE-2025-43510 - Memory management vulnerability in the iOS kernel (Patched in versions 18.7.2 and 26.1) CVE-2025-43520 - Memory corruption vulnerability in the iOS kernel (Patched in versions 18.7.2 and 26.1)
organisation Apple
The exploit chain linked to the newly discovered kit makes use of six different vulnerabilities to deploy three payloads, out of which CVE-2026-20700, CVE-2025-43529, and CVE-2025-14174 were exploited as zero-days, prior to them being patched by Apple: CVE-2025-31277 - Memory corruption vulnerability in JavaScriptCore (Patched in version 18.6) CVE-2026-20700 - User-mode Pointer Authentication Code (PAC) bypass in dyld (Patched in version 26.3) CVE-2025-43529 - Memory corruption vulnerability in JavaScriptCore (Patched in versions 18.7.3 and 26.2) CVE-2025-14174 - Memory corruption vulnerability in ANGLE (Patched in versions 18.7.3 and 26.2) CVE-2025-43510 - Memory management vulnerability in the iOS kernel (Patched in versions 18.7.2 and 26.1) CVE-2025-43520 - Memory corruption vulnerability in the iOS kernel (Patched in versions 18.7.2 and 26.1)
organisation PAC
The exploit chain linked to the newly discovered kit makes use of six different vulnerabilities to deploy three payloads, out of which CVE-2026-20700, CVE-2025-43529, and CVE-2025-14174 were exploited as zero-days, prior to them being patched by Apple: CVE-2025-31277 - Memory corruption vulnerability in JavaScriptCore (Patched in version 18.6) CVE-2026-20700 - User-mode Pointer Authentication Code (PAC) bypass in dyld (Patched in version 26.3) CVE-2025-43529 - Memory corruption vulnerability in JavaScriptCore (Patched in versions 18.7.3 and 26.2) CVE-2025-14174 - Memory corruption vulnerability in ANGLE (Patched in versions 18.7.3 and 26.2) CVE-2025-43510 - Memory management vulnerability in the iOS kernel (Patched in versions 18.7.2 and 26.1) CVE-2025-43520 - Memory corruption vulnerability in the iOS kernel (Patched in versions 18.7.2 and 26.1)
organisation ANGLE
The exploit chain linked to the newly discovered kit makes use of six different vulnerabilities to deploy three payloads, out of which CVE-2026-20700, CVE-2025-43529, and CVE-2025-14174 were exploited as zero-days, prior to them being patched by Apple: CVE-2025-31277 - Memory corruption vulnerability in JavaScriptCore (Patched in version 18.6) CVE-2026-20700 - User-mode Pointer Authentication Code (PAC) bypass in dyld (Patched in version 26.3) CVE-2025-43529 - Memory corruption vulnerability in JavaScriptCore (Patched in versions 18.7.3 and 26.2) CVE-2025-14174 - Memory corruption vulnerability in ANGLE (Patched in versions 18.7.3 and 26.2) CVE-2025-43510 - Memory management vulnerability in the iOS kernel (Patched in versions 18.7.2 and 26.1) CVE-2025-43520 - Memory corruption vulnerability in the iOS kernel (Patched in versions 18.7.2 and 26.1)
organisation CVE-2025-43510 - Memory
The exploit chain linked to the newly discovered kit makes use of six different vulnerabilities to deploy three payloads, out of which CVE-2026-20700, CVE-2025-43529, and CVE-2025-14174 were exploited as zero-days, prior to them being patched by Apple: CVE-2025-31277 - Memory corruption vulnerability in JavaScriptCore (Patched in version 18.6) CVE-2026-20700 - User-mode Pointer Authentication Code (PAC) bypass in dyld (Patched in version 26.3) CVE-2025-43529 - Memory corruption vulnerability in JavaScriptCore (Patched in versions 18.7.3 and 26.2) CVE-2025-14174 - Memory corruption vulnerability in ANGLE (Patched in versions 18.7.3 and 26.2) CVE-2025-43510 - Memory management vulnerability in the iOS kernel (Patched in versions 18.7.2 and 26.1) CVE-2025-43520 - Memory corruption vulnerability in the iOS kernel (Patched in versions 18.7.2 and 26.1)
organisation CVE-2025-43520 - Memory
The exploit chain linked to the newly discovered kit makes use of six different vulnerabilities to deploy three payloads, out of which CVE-2026-20700, CVE-2025-43529, and CVE-2025-14174 were exploited as zero-days, prior to them being patched by Apple: CVE-2025-31277 - Memory corruption vulnerability in JavaScriptCore (Patched in version 18.6) CVE-2026-20700 - User-mode Pointer Authentication Code (PAC) bypass in dyld (Patched in version 26.3) CVE-2025-43529 - Memory corruption vulnerability in JavaScriptCore (Patched in versions 18.7.3 and 26.2) CVE-2025-14174 - Memory corruption vulnerability in ANGLE (Patched in versions 18.7.3 and 26.2) CVE-2025-43510 - Memory management vulnerability in the iOS kernel (Patched in versions 18.7.2 and 26.1) CVE-2025-43520 - Memory corruption vulnerability in the iOS kernel (Patched in versions 18.7.2 and 26.1)
victims 20700 User mode
The exploit chain linked to the newly discovered kit makes use of six different vulnerabilities to deploy three payloads, out of which CVE-2026-20700, CVE-2025-43529, and CVE-2025-14174 were exploited as zero-days, prior to them being patched by Apple: CVE-2025-31277 - Memory corruption vulnerability in JavaScriptCore (Patched in version 18.6) CVE-2026-20700 - User-mode Pointer Authentication Code (PAC) bypass in dyld (Patched in version 26.3) CVE-2025-43529 - Memory corruption vulnerability in JavaScriptCore (Patched in versions 18.7.3 and 26.2) CVE-2025-14174 - Memory corruption vulnerability in ANGLE (Patched in versions 18.7.3 and 26.2) CVE-2025-43510 - Memory management vulnerability in the iOS kernel (Patched in versions 18.7.2 and 26.1) CVE-2025-43520 - Memory corruption vulnerability in the iOS kernel (Patched in versions 18.7.2 and 26.1)
infrastructure 18.6.2
What made this notable was that the JavaScript was specifically looking for iOS devices running versions between 18.4 and 18.6.2, unlike Coruna, which targeted older iOS versions from 13.0 through 17.2.1.
infrastructure 13.0
What made this notable was that the JavaScript was specifically looking for iOS devices running versions between 18.4 and 18.6.2, unlike Coruna, which targeted older iOS versions from 13.0 through 17.2.1.
infrastructure 17.2.1
What made this notable was that the JavaScript was specifically looking for iOS devices running versions between 18.4 and 18.6.2, unlike Coruna, which targeted older iOS versions from 13.0 through 17.2.1.
organisation CVE-2025-43510
iVerify, in its own analysis of DarkSword, said the exploit chain weaponizes JavaScriptCore JIT vulnerabilities in the Safari renderer process (CVE-2025-31277 or CVE-2025-43529) based on the iOS version to achieve remote code execution via CVE-2026-20700, and then escape the sandbox via the GPU process by taking advantage of CVE-2025-14174 and CVE-2025-43510.
organisation iVerify
iVerify, in its own analysis of DarkSword, said the exploit chain weaponizes JavaScriptCore JIT vulnerabilities in the Safari renderer process (CVE-2025-31277 or CVE-2025-43529) based on the iOS version to achieve remote code execution via CVE-2026-20700, and then escape the sandbox via the GPU process by taking advantage of CVE-2025-14174 and CVE-2025-43510.
organisation GPU
iVerify, in its own analysis of DarkSword, said the exploit chain weaponizes JavaScriptCore JIT vulnerabilities in the Safari renderer process (CVE-2025-31277 or CVE-2025-43529) based on the iOS version to achieve remote code execution via CVE-2026-20700, and then escape the sandbox via the GPU process by taking advantage of CVE-2025-14174 and CVE-2025-43510.
infrastructure 17.4.1
" Further analysis of the JavaScript files used in DarkSword has been found to contain references to iOS versions 17.4.1 and 17.5.1, indicating that the kit was ported from a previous version targeting older versions of the operating system.
infrastructure 17.5.1
" Further analysis of the JavaScript files used in DarkSword has been found to contain references to iOS versions 17.4.1 and 17.5.1, indicating that the kit was ported from a previous version targeting older versions of the operating system.
organisation HTML
"The complete lack of obfuscation in DarkSword code, the lack of obfuscation in the HTML for the iframes, and the fact that the DarkSword File Receiver is so simply designed and obviously named lead us to believe that UNC6353 may not have access to strong engineering resources or, alternatively, is not concerned with taking appropriate OPSEC measures.
organisation the DarkSword File Receiver
"The complete lack of obfuscation in DarkSword code, the lack of obfuscation in the HTML for the iframes, and the fact that the DarkSword File Receiver is so simply designed and obviously named lead us to believe that UNC6353 may not have access to strong engineering resources or, alternatively, is not concerned with taking appropriate OPSEC measures.
organisation OPSEC
"The complete lack of obfuscation in DarkSword code, the lack of obfuscation in the HTML for the iframes, and the fact that the DarkSword File Receiver is so simply designed and obviously named lead us to believe that UNC6353 may not have access to strong engineering resources or, alternatively, is not concerned with taking appropriate OPSEC measures.
organisation Springboard
Following a successful privilege escalation, an orchestrator module is used to load additional components that are designed to harvest sensitive data, as well as inject an exfiltration payload into Springboard to siphon the staged information to an external server over HTTP(S).
organisation iFrame
" As is the case with Coruna, the attack chain begins when a user visits via Safari a web page that embeds the iFrame containing JavaScript.
organisation Lookout
"DarkSword aims to extract an extensive set of personal information, including credentials from the device and specifically targets a plethora of crypto wallet apps, hinting at a financially motivated threat actor," Lookout said.
organisation WebContent
Once launched, DarkSword is capable of breaking the confines of the WebContent sandbox (aka Safari's renderer process) and leveraging WebGPU to inject into mediaplaybackd , a system daemon introduced by Apple to handle media playback functions.
organisation WebGPU
Once launched, DarkSword is capable of breaking the confines of the WebContent sandbox (aka Safari's renderer process) and leveraging WebGPU to inject into mediaplaybackd , a system daemon introduced by Apple to handle media playback functions.
organisation SIM
This includes emails, iCloud Drive files, contacts, SMS messages, Safari browsing history and cookies, cryptocurrency wallet and exchange data, usernames, passwords, photos, call history, Wi-Fi WiFi configuration and passwords, location history, calendar, cellular and SIM information, installed app list, data from Apple apps like Notes and Health, and message histories from apps like Telegram and WhatsApp.
organisation Telegram
This includes emails, iCloud Drive files, contacts, SMS messages, Safari browsing history and cookies, cryptocurrency wallet and exchange data, usernames, passwords, photos, call history, Wi-Fi WiFi configuration and passwords, location history, calendar, cellular and SIM information, installed app list, data from Apple apps like Notes and Health, and message histories from apps like Telegram and WhatsApp.
organisation WhatsApp
This includes emails, iCloud Drive files, contacts, SMS messages, Safari browsing history and cookies, cryptocurrency wallet and exchange data, usernames, passwords, photos, call history, Wi-Fi WiFi configuration and passwords, location history, calendar, cellular and SIM information, installed app list, data from Apple apps like Notes and Health, and message histories from apps like Telegram and WhatsApp.
‎at least November 2025
The threat actors used the DarkSword iOS exploit kit to target devices since at least November 2025.
infrastructure Ios
A new exploit kit for Apple iOS devices designed to steal sensitive data from is being wielded by multiple threat actors since at least November 2025, according to reports from Google Threat Intelligence Group (GTIG), iVerify , and Lookout .
Loading the right exploit script based on the detected iOS version Source: Lookout DarkSword attacks In a report today, Google Threat Intelligence Group (GTIG) says that DarkSword has been used since at least November 2025 by several threat actors, who deployed three separate malware families: GHOSTBLADE, a dataminer in JavaScript that steals a swath of information, including crypto wallet data, system and connectivity info, browser history, photos, location and mobility, communication data from iMessage, Telegram, WhatsApp, email, calls, and contacts GHOSTKNIFE, a backdoor that can exfiltrate various types of data (signed-in accounts, messages, browser data, location history, recordings) GHOSTSABER, a JavaScript backdoor that can enumerate devices and accounts, list files, execute JavaScript code, and steal data The first adversary observed using the exploit chain is UNC6748, in attacks targeting Saudi Arabian users via a website impersonating Snapchat.
attribution Apple
A new exploit kit for Apple iOS devices designed to steal sensitive data from is being wielded by multiple threat actors since at least November 2025, according to reports from Google Threat Intelligence Group (GTIG), iVerify , and Lookout .
attribution Google Threat Intelligence Group
A new exploit kit for Apple iOS devices designed to steal sensitive data from is being wielded by multiple threat actors since at least November 2025, according to reports from Google Threat Intelligence Group (GTIG), iVerify , and Lookout .
Loading the right exploit script based on the detected iOS version Source: Lookout DarkSword attacks In a report today, Google Threat Intelligence Group (GTIG) says that DarkSword has been used since at least November 2025 by several threat actors, who deployed three separate malware families: GHOSTBLADE, a dataminer in JavaScript that steals a swath of information, including crypto wallet data, system and connectivity info, browser history, photos, location and mobility, communication data from iMessage, Telegram, WhatsApp, email, calls, and contacts GHOSTKNIFE, a backdoor that can exfiltrate various types of data (signed-in accounts, messages, browser data, location history, recordings) GHOSTSABER, a JavaScript backdoor that can enumerate devices and accounts, list files, execute JavaScript code, and steal data The first adversary observed using the exploit chain is UNC6748, in attacks targeting Saudi Arabian users via a website impersonating Snapchat.
source_region Saudi Arabia
Google's Threat Intelligence Group (GTIG) referred to it in a blog post as a "full-chain exploit that leveraged multiple zero-day vulnerabilities to fully compromise devices," and has been used by multiple commercial surveillance vendors and suspected state-sponsored threat actors to target users in Saudi Arabia, Turkey, Malaysia, and Ukraine since at least November 2025.
Loading the right exploit script based on the detected iOS version Source: Lookout DarkSword attacks In a report today, Google Threat Intelligence Group (GTIG) says that DarkSword has been used since at least November 2025 by several threat actors, who deployed three separate malware families: GHOSTBLADE, a dataminer in JavaScript that steals a swath of information, including crypto wallet data, system and connectivity info, browser history, photos, location and mobility, communication data from iMessage, Telegram, WhatsApp, email, calls, and contacts GHOSTKNIFE, a backdoor that can exfiltrate various types of data (signed-in accounts, messages, browser data, location history, recordings) GHOSTSABER, a JavaScript backdoor that can enumerate devices and accounts, list files, execute JavaScript code, and steal data The first adversary observed using the exploit chain is UNC6748, in attacks targeting Saudi Arabian users via a website impersonating Snapchat.
source_region Malaysia
Google's Threat Intelligence Group (GTIG) referred to it in a blog post as a "full-chain exploit that leveraged multiple zero-day vulnerabilities to fully compromise devices," and has been used by multiple commercial surveillance vendors and suspected state-sponsored threat actors to target users in Saudi Arabia, Turkey, Malaysia, and Ukraine since at least November 2025.
source_region Ukraine
Google's Threat Intelligence Group (GTIG) referred to it in a blog post as a "full-chain exploit that leveraged multiple zero-day vulnerabilities to fully compromise devices," and has been used by multiple commercial surveillance vendors and suspected state-sponsored threat actors to target users in Saudi Arabia, Turkey, Malaysia, and Ukraine since at least November 2025.
attribution Threat Intelligence Group
Google's Threat Intelligence Group (GTIG) referred to it in a blog post as a "full-chain exploit that leveraged multiple zero-day vulnerabilities to fully compromise devices," and has been used by multiple commercial surveillance vendors and suspected state-sponsored threat actors to target users in Saudi Arabia, Turkey, Malaysia, and Ukraine since at least November 2025.
tactic T1059.007 - JavaScript
Loading the right exploit script based on the detected iOS version Source: Lookout DarkSword attacks In a report today, Google Threat Intelligence Group (GTIG) says that DarkSword has been used since at least November 2025 by several threat actors, who deployed three separate malware families: GHOSTBLADE, a dataminer in JavaScript that steals a swath of information, including crypto wallet data, system and connectivity info, browser history, photos, location and mobility, communication data from iMessage, Telegram, WhatsApp, email, calls, and contacts GHOSTKNIFE, a backdoor that can exfiltrate various types of data (signed-in accounts, messages, browser data, location history, recordings) GHOSTSABER, a JavaScript backdoor that can enumerate devices and accounts, list files, execute JavaScript code, and steal data The first adversary observed using the exploit chain is UNC6748, in attacks targeting Saudi Arabian users via a website impersonating Snapchat.
attribution Telegram
Loading the right exploit script based on the detected iOS version Source: Lookout DarkSword attacks In a report today, Google Threat Intelligence Group (GTIG) says that DarkSword has been used since at least November 2025 by several threat actors, who deployed three separate malware families: GHOSTBLADE, a dataminer in JavaScript that steals a swath of information, including crypto wallet data, system and connectivity info, browser history, photos, location and mobility, communication data from iMessage, Telegram, WhatsApp, email, calls, and contacts GHOSTKNIFE, a backdoor that can exfiltrate various types of data (signed-in accounts, messages, browser data, location history, recordings) GHOSTSABER, a JavaScript backdoor that can enumerate devices and accounts, list files, execute JavaScript code, and steal data The first adversary observed using the exploit chain is UNC6748, in attacks targeting Saudi Arabian users via a website impersonating Snapchat.
attribution WhatsApp
Loading the right exploit script based on the detected iOS version Source: Lookout DarkSword attacks In a report today, Google Threat Intelligence Group (GTIG) says that DarkSword has been used since at least November 2025 by several threat actors, who deployed three separate malware families: GHOSTBLADE, a dataminer in JavaScript that steals a swath of information, including crypto wallet data, system and connectivity info, browser history, photos, location and mobility, communication data from iMessage, Telegram, WhatsApp, email, calls, and contacts GHOSTKNIFE, a backdoor that can exfiltrate various types of data (signed-in accounts, messages, browser data, location history, recordings) GHOSTSABER, a JavaScript backdoor that can enumerate devices and accounts, list files, execute JavaScript code, and steal data The first adversary observed using the exploit chain is UNC6748, in attacks targeting Saudi Arabian users via a website impersonating Snapchat.
attribution GHOSTKNIFE
Loading the right exploit script based on the detected iOS version Source: Lookout DarkSword attacks In a report today, Google Threat Intelligence Group (GTIG) says that DarkSword has been used since at least November 2025 by several threat actors, who deployed three separate malware families: GHOSTBLADE, a dataminer in JavaScript that steals a swath of information, including crypto wallet data, system and connectivity info, browser history, photos, location and mobility, communication data from iMessage, Telegram, WhatsApp, email, calls, and contacts GHOSTKNIFE, a backdoor that can exfiltrate various types of data (signed-in accounts, messages, browser data, location history, recordings) GHOSTSABER, a JavaScript backdoor that can enumerate devices and accounts, list files, execute JavaScript code, and steal data The first adversary observed using the exploit chain is UNC6748, in attacks targeting Saudi Arabian users via a website impersonating Snapchat.
attribution GHOSTSABER
Loading the right exploit script based on the detected iOS version Source: Lookout DarkSword attacks In a report today, Google Threat Intelligence Group (GTIG) says that DarkSword has been used since at least November 2025 by several threat actors, who deployed three separate malware families: GHOSTBLADE, a dataminer in JavaScript that steals a swath of information, including crypto wallet data, system and connectivity info, browser history, photos, location and mobility, communication data from iMessage, Telegram, WhatsApp, email, calls, and contacts GHOSTKNIFE, a backdoor that can exfiltrate various types of data (signed-in accounts, messages, browser data, location history, recordings) GHOSTSABER, a JavaScript backdoor that can enumerate devices and accounts, list files, execute JavaScript code, and steal data The first adversary observed using the exploit chain is UNC6748, in attacks targeting Saudi Arabian users via a website impersonating Snapchat.
‎late November 2025
DarkSword iOS Exploit Kit exploited vulnerabilities in 6 flaws and three zero-day exploits on devices running iOS 18.4-18.7, targeting a commercial surveillance vendor's devices associated with the PARS Defense company.
infrastructure Ios
GTIG says that in late November 2025, DarkSword was used in Turkey, in activity associated with PARS Defense, a Turkish commercial surveillance vendor, on devices running  iOS 18.4-18.7.
infrastructure 18.4 iPhones
GTIG says that in late November 2025, DarkSword was used in Turkey, in activity associated with PARS Defense, a Turkish commercial surveillance vendor, on devices running  iOS 18.4-18.7.
infrastructure 18.7 devices
GTIG says that in late November 2025, DarkSword was used in Turkey, in activity associated with PARS Defense, a Turkish commercial surveillance vendor, on devices running  iOS 18.4-18.7.
‎December 2025
Threat actors used a combination of vulnerabilities in iOS versions 13 to 18.6.2, including UNC6353 and UNC6748 exploits, to target hundreds of millions of unpatched devices running these versions.
infrastructure Ios
Google said the observed UNC6353 use of DarkSword in December 2025 only supported iOS versions from 18.4 to 18.6, while that attributed to UNC6748 and PARS Defense also targeted iOS devices running version 18.7.
The combined attacks now likely affect hundreds of millions of unpatched devices running iOS versions from 13 to 18.6.2."
"In both instances, the tools were discovered due to significant operational security (OPSEC) failures and carelessness in the deployment of the iOS offensive capabilities.
These recent events prompt several key questions: How big and well-equipped is the market for iOS 0-day and n-day exploits for iOS devices?
infrastructure 18.4
Google said the observed UNC6353 use of DarkSword in December 2025 only supported iOS versions from 18.4 to 18.6, while that attributed to UNC6748 and PARS Defense also targeted iOS devices running version 18.7.
infrastructure 18.7
Google said the observed UNC6353 use of DarkSword in December 2025 only supported iOS versions from 18.4 to 18.6, while that attributed to UNC6748 and PARS Defense also targeted iOS devices running version 18.7.
infrastructure 18.6
Google said the observed UNC6353 use of DarkSword in December 2025 only supported iOS versions from 18.4 to 18.6, while that attributed to UNC6748 and PARS Defense also targeted iOS devices running version 18.7.
organisation Google
Google said the observed UNC6353 use of DarkSword in December 2025 only supported iOS versions from 18.4 to 18.6, while that attributed to UNC6748 and PARS Defense also targeted iOS devices running version 18.7.
general_metric 18.7 version
Google said the observed UNC6353 use of DarkSword in December 2025 only supported iOS versions from 18.4 to 18.6, while that attributed to UNC6748 and PARS Defense also targeted iOS devices running version 18.7.
target_region Ukraine
UNC6353, a suspected Russian espionage actor, has been using the Coruna exploit kit since last summer, and in December 2025 started leveraging DarkSword exploits against Ukrainian targets.
source_region Russian Federation
UNC6353, a suspected Russian espionage actor, has been using the Coruna exploit kit since last summer, and in December 2025 started leveraging DarkSword exploits against Ukrainian targets.
tactic Espionage
UNC6353, a suspected Russian espionage actor, has been using the Coruna exploit kit since last summer, and in December 2025 started leveraging DarkSword exploits against Ukrainian targets.
infrastructure 18.6.2
The combined attacks now likely affect hundreds of millions of unpatched devices running iOS versions from 13 to 18.6.2."
‎March 2026
The GHOSTBLADE malware exploited six vulnerabilities and three zero-day exploits in the iOS DarkSword iOS Exploit Kit.
organisation GHOSTBLADE
The activity continued through March 2026 in watering hole attacks with compromised websites that deploy the GHOSTBLADE malware to exfitrate data from compromised targets.
‎2026/03/18
DarkSword attacks exploited multiple vulnerabilities in iOS devices.
target_region Saudi Arabia
Loading the right exploit script based on the detected iOS version Source: Lookout DarkSword attacks In a report today, Google Threat Intelligence Group (GTIG) says that DarkSword has been used since at least November 2025 by several threat actors, who deployed three separate malware families: GHOSTBLADE, a dataminer in JavaScript that steals a swath of information, including crypto wallet data, system and connectivity info, browser history, photos, location and mobility, communication data from iMessage, Telegram, WhatsApp, email, calls, and contacts GHOSTKNIFE, a backdoor that can exfiltrate various types of data (signed-in accounts, messages, browser data, location history, recordings) GHOSTSABER, a JavaScript backdoor that can enumerate devices and accounts, list files, execute JavaScript code, and steal data The first adversary observed using the exploit chain is UNC6748, in attacks targeting Saudi Arabian users via a website impersonating Snapchat.
infrastructure Ios
Loading the right exploit script based on the detected iOS version Source: Lookout DarkSword attacks In a report today, Google Threat Intelligence Group (GTIG) says that DarkSword has been used since at least November 2025 by several threat actors, who deployed three separate malware families: GHOSTBLADE, a dataminer in JavaScript that steals a swath of information, including crypto wallet data, system and connectivity info, browser history, photos, location and mobility, communication data from iMessage, Telegram, WhatsApp, email, calls, and contacts GHOSTKNIFE, a backdoor that can exfiltrate various types of data (signed-in accounts, messages, browser data, location history, recordings) GHOSTSABER, a JavaScript backdoor that can enumerate devices and accounts, list files, execute JavaScript code, and steal data The first adversary observed using the exploit chain is UNC6748, in attacks targeting Saudi Arabian users via a website impersonating Snapchat.
tactic T1059.007 - JavaScript
Loading the right exploit script based on the detected iOS version Source: Lookout DarkSword attacks In a report today, Google Threat Intelligence Group (GTIG) says that DarkSword has been used since at least November 2025 by several threat actors, who deployed three separate malware families: GHOSTBLADE, a dataminer in JavaScript that steals a swath of information, including crypto wallet data, system and connectivity info, browser history, photos, location and mobility, communication data from iMessage, Telegram, WhatsApp, email, calls, and contacts GHOSTKNIFE, a backdoor that can exfiltrate various types of data (signed-in accounts, messages, browser data, location history, recordings) GHOSTSABER, a JavaScript backdoor that can enumerate devices and accounts, list files, execute JavaScript code, and steal data The first adversary observed using the exploit chain is UNC6748, in attacks targeting Saudi Arabian users via a website impersonating Snapchat.
attribution Google Threat Intelligence Group
Loading the right exploit script based on the detected iOS version Source: Lookout DarkSword attacks In a report today, Google Threat Intelligence Group (GTIG) says that DarkSword has been used since at least November 2025 by several threat actors, who deployed three separate malware families: GHOSTBLADE, a dataminer in JavaScript that steals a swath of information, including crypto wallet data, system and connectivity info, browser history, photos, location and mobility, communication data from iMessage, Telegram, WhatsApp, email, calls, and contacts GHOSTKNIFE, a backdoor that can exfiltrate various types of data (signed-in accounts, messages, browser data, location history, recordings) GHOSTSABER, a JavaScript backdoor that can enumerate devices and accounts, list files, execute JavaScript code, and steal data The first adversary observed using the exploit chain is UNC6748, in attacks targeting Saudi Arabian users via a website impersonating Snapchat.
attribution Telegram
Loading the right exploit script based on the detected iOS version Source: Lookout DarkSword attacks In a report today, Google Threat Intelligence Group (GTIG) says that DarkSword has been used since at least November 2025 by several threat actors, who deployed three separate malware families: GHOSTBLADE, a dataminer in JavaScript that steals a swath of information, including crypto wallet data, system and connectivity info, browser history, photos, location and mobility, communication data from iMessage, Telegram, WhatsApp, email, calls, and contacts GHOSTKNIFE, a backdoor that can exfiltrate various types of data (signed-in accounts, messages, browser data, location history, recordings) GHOSTSABER, a JavaScript backdoor that can enumerate devices and accounts, list files, execute JavaScript code, and steal data The first adversary observed using the exploit chain is UNC6748, in attacks targeting Saudi Arabian users via a website impersonating Snapchat.
attribution WhatsApp
Loading the right exploit script based on the detected iOS version Source: Lookout DarkSword attacks In a report today, Google Threat Intelligence Group (GTIG) says that DarkSword has been used since at least November 2025 by several threat actors, who deployed three separate malware families: GHOSTBLADE, a dataminer in JavaScript that steals a swath of information, including crypto wallet data, system and connectivity info, browser history, photos, location and mobility, communication data from iMessage, Telegram, WhatsApp, email, calls, and contacts GHOSTKNIFE, a backdoor that can exfiltrate various types of data (signed-in accounts, messages, browser data, location history, recordings) GHOSTSABER, a JavaScript backdoor that can enumerate devices and accounts, list files, execute JavaScript code, and steal data The first adversary observed using the exploit chain is UNC6748, in attacks targeting Saudi Arabian users via a website impersonating Snapchat.
attribution GHOSTKNIFE
Loading the right exploit script based on the detected iOS version Source: Lookout DarkSword attacks In a report today, Google Threat Intelligence Group (GTIG) says that DarkSword has been used since at least November 2025 by several threat actors, who deployed three separate malware families: GHOSTBLADE, a dataminer in JavaScript that steals a swath of information, including crypto wallet data, system and connectivity info, browser history, photos, location and mobility, communication data from iMessage, Telegram, WhatsApp, email, calls, and contacts GHOSTKNIFE, a backdoor that can exfiltrate various types of data (signed-in accounts, messages, browser data, location history, recordings) GHOSTSABER, a JavaScript backdoor that can enumerate devices and accounts, list files, execute JavaScript code, and steal data The first adversary observed using the exploit chain is UNC6748, in attacks targeting Saudi Arabian users via a website impersonating Snapchat.
attribution GHOSTSABER
Loading the right exploit script based on the detected iOS version Source: Lookout DarkSword attacks In a report today, Google Threat Intelligence Group (GTIG) says that DarkSword has been used since at least November 2025 by several threat actors, who deployed three separate malware families: GHOSTBLADE, a dataminer in JavaScript that steals a swath of information, including crypto wallet data, system and connectivity info, browser history, photos, location and mobility, communication data from iMessage, Telegram, WhatsApp, email, calls, and contacts GHOSTKNIFE, a backdoor that can exfiltrate various types of data (signed-in accounts, messages, browser data, location history, recordings) GHOSTSABER, a JavaScript backdoor that can enumerate devices and accounts, list files, execute JavaScript code, and steal data The first adversary observed using the exploit chain is UNC6748, in attacks targeting Saudi Arabian users via a website impersonating Snapchat.
‎March 18
The DarkSide iOS exploit kit used six vulnerabilities and three zero-day exploits to target Apple devices.
attribution the Google Threat Intelligence Group
[March 18, 11:39] :  Article updated with information from the Google Threat Intelligence Group about the DarkSide exploit kit, available to BleepingComputer after publishing time.
attribution BleepingComputer
[March 18, 11:39] :  Article updated with information from the Google Threat Intelligence Group about the DarkSide exploit kit, available to BleepingComputer after publishing time.
‎the 2020s
Rocky Cole, co-founder and COO of iVerify, used poor operational security (OPSEC) practices to target devices in the 2020s.
organisation COO
Rocky Cole, iVerify's co-founder and chief operating officer (COO), says this poor level of OPSEC is "unprecedented in the 2020s."
‎2026/03/19
DarkSword targets iPhones running iOS 18.4 through 18.7 and is linked to multiple actors, including UNC6353, suspected to be Russian who used the Coruna exploit chain.
organisation Google
Earlier this year, Google researchers noticed DarkSword being used in Malaysia by another PARS Defense customer delivering the GHOSTSABER backdoor.
Google, iVerify, and Lookout this week published research concerning "DarkSword," an exploit chain targeting iPhones running iOS versions 18.4 through 18.7.
This vulnerability was reported to Google (the developers of ANGLE) by Apple and GTIG, and was patched in Safari with the release of iOS 18.7.3 and 26.2.
infrastructure Ios
Malicious iframe on a Ukrainian government site Source: Lookout The orchestrator injects a JavaScript engine into privileged iOS services such as App Access, Wi-Fi, Springboard, Keychain, and iCloud, and then activates data-stealing modules (e.g., GHOSTBLADE) that collect the following information: Saved passwords Photos, including screenshots and hidden image files WhatsApp and Telegram databases Cryptocurrency wallets (Coinbase, Binance, Ledger, and others)
DarkSword targets iPhones running iOS 18.4 through 18.7 and is linked to multiple actors, including UNC6353, suspected to be Russian, who used the  Coruna exploit chain disclosed earlier this month.
A new iOS exploit chain is being used by attackers around the globe, and it's built for espionage actors and financially motivated attackers alike.
DarkSword iOS Exploit Kit Uses 6 Flaws, 3 Zero-Days for Full Device Takeover.
Google, iVerify, and Lookout this week published research concerning "DarkSword," an exploit chain targeting iPhones running iOS versions 18.4 through 18.7.
It follows two weeks behind the disclosure of a similar attack, dubbed "Coruna," in which a financially motivated criminal group leveraged tools developed by a spyware vendor to mass target iOS devices.
The vulnerabilities include JavaScriptCore memory corruption flaws CVE-2025-31277 and CVE-2025-43529, dyld user-mode pointer authentication code bypass CVE-2026-20700, ANGLE memory corruption flaw CVE-2025-14174, iOS kernel memory management flaw CVE-2025-43510, and iOS kernel memory corruption bug CVE-2025-43520.
And indeed, iVerify's blog post notes that in the case of Coruna and DarkSword, the tools were discovered due to significant operational security (OPSEC) failures and carelessness in deploying iOS offensive capabilities.
"These recent events prompt several key questions: How big and well equipped is the market for iOS zero-day and n-day exploits for iOS devices?
" A Challenging Outlook for the Future of iOS Exploit Chains
Although all vulnerabilities have been addressed by software updates — iPhone users should update to iOS 18.7.6 or iOS 26.3.1 — iVerify estimated that more than 200 million users may still be vulnerable.
Matthias Frielingsdorf, co-founder and VP of research at iVerify, tells Dark Reading that DarkSword shows that even with automatic updates and the like, a large number of iOS users remain vulnerable.
iVerify's findings  indicate that all flaws (sandbox escape, privilege escalation, remote code execution) exploited in this exploit chain are known or documented, and Apple has already addressed them in the latest iOS releases.
New “Darksword” iOS exploit used in infostealer attack on iPhones.
A new exploit kit for iOS devices and delivery framework dubbed “DarkSword” has been used to steal a wide range of personal information, including data from cryptocurrency wallet apps.
An observation from Google researchers is that although "earlier DarkSword use attributed to UNC6748 and PARS Defense also supported iOS 18.7, we did not observe that from UNC6353, despite their later operational timeline.
" Actors using the DarkSword iOS exploit kit source: GTIG According to Lookout researchers, both Coruna and DarkSword exhibit signs of codebase expansion using large language model (LLM) assistance.
iPhone users are recommended to upgrade to iOS 26.3.1 (latest), released earlier this month, and enable Lockdown Mode if at high risk of being targeted by malware.
For those using older devices that don’t qualify for an update to the latest iOS version, Apple may backport fixes as it did with the Coruna exploits , but this hasn’t been confirmed yet.
The Proliferation of DarkSword: iOS Exploit Chain Adopted by Multiple Threat Actors.
For devices running versions of iOS prior to 18.6, DarkSword uses CVE-2025-31277, a JIT optimization/type confusion bug which was patched by Apple in iOS 18.6.
For devices running iOS 18.6-18.7, DarkSword uses CVE-2025-43529, a garbage collection bug in the Data Flow Graph (DFG) JIT layer of JavaScriptCore which was patched by Apple in iOS 18.7.3 and 26.2 after it was reported by GTIG.
This vulnerability was patched by Apple in iOS 26.3 after being reported by GTIG.
This vulnerability was reported to Google (the developers of ANGLE) by Apple and GTIG, and was patched in Safari with the release of iOS 18.7.3 and 26.2.
This vulnerability was patched by Apple in iOS 18.7.2 and 26.1.
organisation UNC6353
One of the most interesting threat actors utilizing DarkSword is UNC6353, a suspected Russian espionage group that previously also used the similar Coruna exploit.
DarkSword targets iPhones running iOS 18.4 through 18.7 and is linked to multiple actors, including UNC6353, suspected to be Russian, who used the  Coruna exploit chain disclosed earlier this month.
organisation DarkSword
DarkSword targets iPhones running iOS 18.4 through 18.7 and is linked to multiple actors, including UNC6353, suspected to be Russian, who used the  Coruna exploit chain disclosed earlier this month.
DarkSword iOS Exploit Kit Uses 6 Flaws, 3 Zero-Days for Full Device Takeover.
Remote Code Execution Exploits GTIG observed two different JavaScriptCore (the JavaScript engine used in WebKit and Apple's Safari browser) vulnerabilities exploited for remote code execution by DarkSword.
DarkSword: iPhone Exploit Kit Serves Spies & Thieves Alike.
infrastructure 18.4 iPhones
DarkSword targets iPhones running iOS 18.4 through 18.7 and is linked to multiple actors, including UNC6353, suspected to be Russian, who used the  Coruna exploit chain disclosed earlier this month.
organisation Lookout
Lookout's research noted that despite being an espionage actor, no attempts were made to obfuscate the exploit chain or implant code, and that an "analysis of patterns suggests that LLMs were used in the creation of at least some of the implant code.
infrastructure 18.4
Google, iVerify, and Lookout this week published research concerning "DarkSword," an exploit chain targeting iPhones running iOS versions 18.4 through 18.7.
infrastructure 18.7
Google, iVerify, and Lookout this week published research concerning "DarkSword," an exploit chain targeting iPhones running iOS versions 18.4 through 18.7.
organisation iPhones
Google, iVerify, and Lookout this week published research concerning "DarkSword," an exploit chain targeting iPhones running iOS versions 18.4 through 18.7.
New “Darksword” iOS exploit used in infostealer attack on iPhones.
organisation iVerify
Google, iVerify, and Lookout this week published research concerning "DarkSword," an exploit chain targeting iPhones running iOS versions 18.4 through 18.7.
iVerify's findings  indicate that all flaws (sandbox escape, privilege escalation, remote code execution) exploited in this exploit chain are known or documented, and Apple has already addressed them in the latest iOS releases.
organisation CVE-2025-43529
The vulnerabilities include JavaScriptCore memory corruption flaws CVE-2025-31277 and CVE-2025-43529, dyld user-mode pointer authentication code bypass CVE-2026-20700, ANGLE memory corruption flaw CVE-2025-14174, iOS kernel memory management flaw CVE-2025-43510, and iOS kernel memory corruption bug CVE-2025-43520.
For devices running iOS 18.6-18.7, DarkSword uses CVE-2025-43529, a garbage collection bug in the Data Flow Graph (DFG) JIT layer of JavaScriptCore which was patched by Apple in iOS 18.7.3 and 26.2 after it was reported by GTIG.
organisation CVE-2025-31277
The vulnerabilities include JavaScriptCore memory corruption flaws CVE-2025-31277 and CVE-2025-43529, dyld user-mode pointer authentication code bypass CVE-2026-20700, ANGLE memory corruption flaw CVE-2025-14174, iOS kernel memory management flaw CVE-2025-43510, and iOS kernel memory corruption bug CVE-2025-43520.
organisation CVE-2025-43510
The vulnerabilities include JavaScriptCore memory corruption flaws CVE-2025-31277 and CVE-2025-43529, dyld user-mode pointer authentication code bypass CVE-2026-20700, ANGLE memory corruption flaw CVE-2025-14174, iOS kernel memory management flaw CVE-2025-43510, and iOS kernel memory corruption bug CVE-2025-43520.
The DarkSword exploit kit uses six vulnerabilities tracked as CVE-2025-31277, CVE-2025-43529, CVE-2026-20700, CVE-2025-14174, CVE-2025-43510, and CVE-2025-43520.
To bypass this limitation, DarkSword uses another sandbox escape exploit, sbx1_main.js , which leverages CVE-2025-43510, a memory management vulnerability in XNU.
organisation ANGLE
The vulnerabilities include JavaScriptCore memory corruption flaws CVE-2025-31277 and CVE-2025-43529, dyld user-mode pointer authentication code bypass CVE-2026-20700, ANGLE memory corruption flaw CVE-2025-14174, iOS kernel memory management flaw CVE-2025-43510, and iOS kernel memory corruption bug CVE-2025-43520.
This vulnerability was reported to Google (the developers of ANGLE) by Apple and GTIG, and was patched in Safari with the release of iOS 18.7.3 and 26.2.
organisation OPSEC
And indeed, iVerify's blog post notes that in the case of Coruna and DarkSword, the tools were discovered due to significant operational security (OPSEC) failures and carelessness in deploying iOS offensive capabilities.
"Unlike the UNC6748 activity, this campaign was carried out with more attention to OPSEC, with obfuscation applied to the exploit loader and some of the exploit stages, and the use of ECDH and AES to encrypt exploits between the server and the victim," GTIG notes .
organisation the Future of iOS
" A Challenging Outlook for the Future of iOS Exploit Chains
infrastructure 18.7.6
Although all vulnerabilities have been addressed by software updates — iPhone users should update to iOS 18.7.6 or iOS 26.3.1 — iVerify estimated that more than 200 million users may still be vulnerable.
infrastructure 26.3.1
Although all vulnerabilities have been addressed by software updates — iPhone users should update to iOS 18.7.6 or iOS 26.3.1 — iVerify estimated that more than 200 million users may still be vulnerable.
iPhone users are recommended to upgrade to iOS 26.3.1 (latest), released earlier this month, and enable Lockdown Mode if at high risk of being targeted by malware.
victims 200 users
Although all vulnerabilities have been addressed by software updates — iPhone users should update to iOS 18.7.6 or iOS 26.3.1 — iVerify estimated that more than 200 million users may still be vulnerable.
organisation Apple
iVerify's findings  indicate that all flaws (sandbox escape, privilege escalation, remote code execution) exploited in this exploit chain are known or documented, and Apple has already addressed them in the latest iOS releases.
Remote Code Execution Exploits GTIG observed two different JavaScriptCore (the JavaScript engine used in WebKit and Apple's Safari browser) vulnerabilities exploited for remote code execution by DarkSword.
organisation Exploit Chain
The Proliferation of DarkSword: iOS Exploit Chain Adopted by Multiple Threat Actors.
infrastructure 18.6
For devices running versions of iOS prior to 18.6, DarkSword uses CVE-2025-31277, a JIT optimization/type confusion bug which was patched by Apple in iOS 18.6.
organisation CVE-2025
For devices running versions of iOS prior to 18.6, DarkSword uses CVE-2025-31277, a JIT optimization/type confusion bug which was patched by Apple in iOS 18.6.
organisation the Data Flow Graph
For devices running iOS 18.6-18.7, DarkSword uses CVE-2025-43529, a garbage collection bug in the Data Flow Graph (DFG) JIT layer of JavaScriptCore which was patched by Apple in iOS 18.7.3 and 26.2 after it was reported by GTIG.
infrastructure 18.6 devices
For devices running iOS 18.6-18.7, DarkSword uses CVE-2025-43529, a garbage collection bug in the Data Flow Graph (DFG) JIT layer of JavaScriptCore which was patched by Apple in iOS 18.7.3 and 26.2 after it was reported by GTIG.
infrastructure 18.7.3
This vulnerability was reported to Google (the developers of ANGLE) by Apple and GTIG, and was patched in Safari with the release of iOS 18.7.3 and 26.2.
infrastructure 26.2
This vulnerability was reported to Google (the developers of ANGLE) by Apple and GTIG, and was patched in Safari with the release of iOS 18.7.3 and 26.2.
organisation HTML
It is unknown how the websites that launched these attacks were compromised in the first place, but the threat actors had sufficient rights to infect malicious iframes in the HTML code of these sites.
organisation UNC6748
"Unlike the UNC6748 activity, this campaign was carried out with more attention to OPSEC, with obfuscation applied to the exploit loader and some of the exploit stages, and the use of ECDH and AES to encrypt exploits between the server and the victim," GTIG notes .
organisation AES
"Unlike the UNC6748 activity, this campaign was carried out with more attention to OPSEC, with obfuscation applied to the exploit loader and some of the exploit stages, and the use of ECDH and AES to encrypt exploits between the server and the victim," GTIG notes .
organisation Local Privilege Escalation and
Local Privilege Escalation and Final Payload Finally, the exploit loaded one last module, pe_main.js .
organisation XNU
This uses CVE-2025-43520, a kernel-mode race condition in XNU's virtual filesystem (VFS) implementation, which can be exploited to build physical and virtual memory read/write primitives.
organisation VFS
This uses CVE-2025-43520, a kernel-mode race condition in XNU's virtual filesystem (VFS) implementation, which can be exploited to build physical and virtual memory read/write primitives.
organisation WebKit
Remote Code Execution Exploits GTIG observed two different JavaScriptCore (the JavaScript engine used in WebKit and Apple's Safari browser) vulnerabilities exploited for remote code execution by DarkSword.
organisation GHOSTSABER
We assess that GHOSTBLADE was likely developed by the DarkSword developers, based on the consistency in coding styles and the tight integration between it and the library code, which is notably distinct from how GHOSTKNIFE and GHOSTSABER leveraged these libraries.
organisation GHOSTKNIFE
We assess that GHOSTBLADE was likely developed by the DarkSword developers, based on the consistency in coding styles and the tight integration between it and the library code, which is notably distinct from how GHOSTKNIFE and GHOSTSABER leveraged these libraries.
GTIG said the exploit chain utilizes several vulnerabilities and, depending on the attack, three distinct malware families it tracks as Ghostblade, Ghostknife, and Ghostsaber.
organisation Thieves Alike
DarkSword: iPhone Exploit Kit Serves Spies & Thieves Alike.
organisation PAC
Both vulnerabilities were directly chained with CVE-2026-20700, a bug in dyld used as a user-mode Pointer Authentication Codes (PAC) bypass to execute arbitrary code, as required by the subsequent exploit stages.
organisation Pointer Authentication Codes
Both vulnerabilities were directly chained with CVE-2026-20700, a bug in dyld used as a user-mode Pointer Authentication Codes (PAC) bypass to execute arbitrary code, as required by the subsequent exploit stages.
organisation CVE-2025-14174
This exploit leverages CVE-2025-14174, a vulnerability in ANGLE where parameters were not sufficiently validated in a specific WebGL operation, leading to out-of-bounds memory operations in Safari's GPU process which the DarkSword developers use to execute arbitrary code within the GPU process.
organisation WebGL
This exploit leverages CVE-2025-14174, a vulnerability in ANGLE where parameters were not sufficiently validated in a specific WebGL operation, leading to out-of-bounds memory operations in Safari's GPU process which the DarkSword developers use to execute arbitrary code within the GPU process.
organisation GPU
DarkSword uses two separate sandbox escape vulnerabilities, first by pivoting out of the WebContent sandbox into the GPU process, and then by pivoting from the GPU process to mediaplaybackd .
organisation WebContent
DarkSword uses two separate sandbox escape vulnerabilities, first by pivoting out of the WebContent sandbox into the GPU process, and then by pivoting from the GPU process to mediaplaybackd .
organisation Less Lucrative Ransomware Market Makes
Related: Less Lucrative Ransomware Market Makes Attackers Alter Methods "Defenders need to treat mobile zero-days like enterprise-grade intrusion paths, which includes validating controls continuously and not assuming an intrusion will stay inside the box it's labeled with," he says.
organisation AttackIQ
Pete Luban, field chief information security officer (CISO) at AttackIQ, tells Dark Reading that there is some precedence for this on the surface; once a sophisticated chain gets exposed somehow, it can be repurposed by those looking to get a payout.
organisation GHOSTBLADE
Additionally, the libraries in GHOSTBLADE contained a reference to a function called startSandworm() which was not implemented within it; we suspect this may be a codename for a different exploit.
organisation Apple Health
Address book Call history Location history Browser history Cookies Wi-Fi history and passwords Apple Health data Calendar Notes Installed applications Connected accounts Notably, DarkSword wipes temporary files and exits when the above is exfiltrated to the threat actors, indicating that it was not designed for long-term surveillance operations.
organisation Calendar Notes Installed
Address book Call history Location history Browser history Cookies Wi-Fi history and passwords Apple Health data Calendar Notes Installed applications Connected accounts Notably, DarkSword wipes temporary files and exits when the above is exfiltrated to the threat actors, indicating that it was not designed for long-term surveillance operations.
organisation The Red Report 2026
The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight.
organisation RCE
The same sandbox escape exploits were used regardless of which RCE exploit was needed.
organisation Project Zero
WebContent Sandbox Escape As previously discussed by Project Zero and others, Safari's renderer process (known as WebContent) is tightly sandboxed to limit the blast radius of any vulnerabilities it may contain, since it is the most accessible to untrusted user content.
organisation API
The exploit contains a suite of library classes building on top of their primitives that are used by the different post-exploitation payloads, such as Native , which provides abstractions for manipulating raw memory and calling native functions, and FileUtils , which provides a POSIX-like filesystem API.
organisation Webpack
Artifacts left behind from the Webpack process applied to the analyzed GHOSTBLADE sample included file paths that show the structure on disk of these libraries (Figure 22).
Tactical Metrics
Metrics
infrastructure
​Ios
Affected Product
The kit is designed to target iPhones running iOS versions between iOS 18.4 and 18.7, and is said to have been deployed by a suspected Russian espionage group named UNC6353 in attacks targeting Ukrainian users.
DarkSword iOS Exploit Kit Uses 6 Flaws, 3 Zero-Days for Full Device Takeover.
A new exploit kit for Apple iOS devices designed to steal sensitive data from is being wielded by multiple threat actors since at least November 2025, according to reports from Google Threat Intelligence Group (GTIG), iVerify , and Lookout .
The discovery of DarkSword makes it the second iOS exploit kit, after Coruna , to be discovered within the span of a month.
The exploit chain linked to the newly discovered kit makes use of six different vulnerabilities to deploy three payloads, out of which CVE-2026-20700, CVE-2025-43529, and CVE-2025-14174 were exploited as zero-days, prior to them being patched by Apple: CVE-2025-31277 - Memory corruption vulnerability in JavaScriptCore (Patched in version 18.6) CVE-2026-20700 - User-mode Pointer Authentication Code (PAC) bypass in dyld (Patched in version 26.3) CVE-2025-43529 - Memory corruption vulnerability in JavaScriptCore (Patched in versions 18.7.3 and 26.2) CVE-2025-14174 - Memory corruption vulnerability in ANGLE (Patched in versions 18.7.3 and 26.2) CVE-2025-43510 - Memory management vulnerability in the iOS kernel (Patched in versions 18.7.2 and 26.1) CVE-2025-43520 - Memory corruption vulnerability in the iOS kernel (Patched in versions 18.7.2 and 26.1)
Lookout said it discovered DarkSword after an analysis of malicious infrastructure associated with UNC6353, identifying that one of the compromised domains hosted a malicious iFrame element that's responsible for loading a JavaScript to fingerprint devices visiting the site and determine whether the target needs to be routed to the iOS exploit chain.
What made this notable was that the JavaScript was specifically looking for iOS devices running versions between 18.4 and 18.6.2, unlike Coruna, which targeted older iOS versions from 13.0 through 17.2.1.
iVerify, in its own analysis of DarkSword, said the exploit chain weaponizes JavaScriptCore JIT vulnerabilities in the Safari renderer process (CVE-2025-31277 or CVE-2025-43529) based on the iOS version to achieve remote code execution via CVE-2026-20700, and then escape the sandbox via the GPU process by taking advantage of CVE-2025-14174 and CVE-2025-43510.
" Further analysis of the JavaScript files used in DarkSword has been found to contain references to iOS versions 17.4.1 and 17.5.1, indicating that the kit was ported from a previous version targeting older versions of the operating system.
This indicates that the hacking group is likely well-funded to secure high-quality iOS exploit chains that are likely developed for commercial surveillance.
Google said the observed UNC6353 use of DarkSword in December 2025 only supported iOS versions from 18.4 to 18.6, while that attributed to UNC6748 and PARS Defense also targeted iOS devices running version 18.7.
The combined attacks now likely affect hundreds of millions of unpatched devices running iOS versions from 13 to 18.6.2."
"In both instances, the tools were discovered due to significant operational security (OPSEC) failures and carelessness in the deployment of the iOS offensive capabilities.
These recent events prompt several key questions: How big and well-equipped is the market for iOS 0-day and n-day exploits for iOS devices?
A new iOS exploit chain is being used by attackers around the globe, and it's built for espionage actors and financially motivated attackers alike.
Google, iVerify, and Lookout this week published research concerning "DarkSword," an exploit chain targeting iPhones running iOS versions 18.4 through 18.7.
It follows two weeks behind the disclosure of a similar attack, dubbed "Coruna," in which a financially motivated criminal group leveraged tools developed by a spyware vendor to mass target iOS devices.
The vulnerabilities include JavaScriptCore memory corruption flaws CVE-2025-31277 and CVE-2025-43529, dyld user-mode pointer authentication code bypass CVE-2026-20700, ANGLE memory corruption flaw CVE-2025-14174, iOS kernel memory management flaw CVE-2025-43510, and iOS kernel memory corruption bug CVE-2025-43520.
And indeed, iVerify's blog post notes that in the case of Coruna and DarkSword, the tools were discovered due to significant operational security (OPSEC) failures and carelessness in deploying iOS offensive capabilities.
"These recent events prompt several key questions: How big and well equipped is the market for iOS zero-day and n-day exploits for iOS devices?
" A Challenging Outlook for the Future of iOS Exploit Chains
Although all vulnerabilities have been addressed by software updates — iPhone users should update to iOS 18.7.6 or iOS 26.3.1 — iVerify estimated that more than 200 million users may still be vulnerable.
Matthias Frielingsdorf, co-founder and VP of research at iVerify, tells Dark Reading that DarkSword shows that even with automatic updates and the like, a large number of iOS users remain vulnerable.
DarkSword targets iPhones running iOS 18.4 through 18.7 and is linked to multiple actors, including UNC6353, suspected to be Russian, who used the  Coruna exploit chain disclosed earlier this month.
iVerify's findings  indicate that all flaws (sandbox escape, privilege escalation, remote code execution) exploited in this exploit chain are known or documented, and Apple has already addressed them in the latest iOS releases.
New “Darksword” iOS exploit used in infostealer attack on iPhones.
A new exploit kit for iOS devices and delivery framework dubbed “DarkSword” has been used to steal a wide range of personal information, including data from cryptocurrency wallet apps.
Loading the right exploit script based on the detected iOS version Source: Lookout DarkSword attacks In a report today, Google Threat Intelligence Group (GTIG) says that DarkSword has been used since at least November 2025 by several threat actors, who deployed three separate malware families: GHOSTBLADE, a dataminer in JavaScript that steals a swath of information, including crypto wallet data, system and connectivity info, browser history, photos, location and mobility, communication data from iMessage, Telegram, WhatsApp, email, calls, and contacts GHOSTKNIFE, a backdoor that can exfiltrate various types of data (signed-in accounts, messages, browser data, location history, recordings) GHOSTSABER, a JavaScript backdoor that can enumerate devices and accounts, list files, execute JavaScript code, and steal data The first adversary observed using the exploit chain is UNC6748, in attacks targeting Saudi Arabian users via a website impersonating Snapchat.
GTIG says that in late November 2025, DarkSword was used in Turkey, in activity associated with PARS Defense, a Turkish commercial surveillance vendor, on devices running  iOS 18.4-18.7.
An observation from Google researchers is that although "earlier DarkSword use attributed to UNC6748 and PARS Defense also supported iOS 18.7, we did not observe that from UNC6353, despite their later operational timeline.
" Actors using the DarkSword iOS exploit kit source: GTIG According to Lookout researchers, both Coruna and DarkSword exhibit signs of codebase expansion using large language model (LLM) assistance.
Malicious iframe on a Ukrainian government site Source: Lookout The orchestrator injects a JavaScript engine into privileged iOS services such as App Access, Wi-Fi, Springboard, Keychain, and iCloud, and then activates data-stealing modules (e.g., GHOSTBLADE) that collect the following information: Saved passwords Photos, including screenshots and hidden image files WhatsApp and Telegram databases Cryptocurrency wallets (Coinbase, Binance, Ledger, and others)
iPhone users are recommended to upgrade to iOS 26.3.1 (latest), released earlier this month, and enable Lockdown Mode if at high risk of being targeted by malware.
For those using older devices that don’t qualify for an update to the latest iOS version, Apple may backport fixes as it did with the Coruna exploits , but this hasn’t been confirmed yet.
The Proliferation of DarkSword: iOS Exploit Chain Adopted by Multiple Threat Actors.
For devices running versions of iOS prior to 18.6, DarkSword uses CVE-2025-31277, a JIT optimization/type confusion bug which was patched by Apple in iOS 18.6.
For devices running iOS 18.6-18.7, DarkSword uses CVE-2025-43529, a garbage collection bug in the Data Flow Graph (DFG) JIT layer of JavaScriptCore which was patched by Apple in iOS 18.7.3 and 26.2 after it was reported by GTIG.
This vulnerability was patched by Apple in iOS 26.3 after being reported by GTIG.
This vulnerability was reported to Google (the developers of ANGLE) by Apple and GTIG, and was patched in Safari with the release of iOS 18.7.3 and 26.2.
This vulnerability was patched by Apple in iOS 18.7.2 and 26.1.
Metrics
infrastructure
​18.4
Software Version
The kit is designed to target iPhones running iOS versions between iOS 18.4 and 18.7, and is said to have been deployed by a suspected Russian espionage group named UNC6353 in attacks targeting Ukrainian users.
What made this notable was that the JavaScript was specifically looking for iOS devices running versions between 18.4 and 18.6.2, unlike Coruna, which targeted older iOS versions from 13.0 through 17.2.1.
Google said the observed UNC6353 use of DarkSword in December 2025 only supported iOS versions from 18.4 to 18.6, while that attributed to UNC6748 and PARS Defense also targeted iOS devices running version 18.7.
Google, iVerify, and Lookout this week published research concerning "DarkSword," an exploit chain targeting iPhones running iOS versions 18.4 through 18.7.
Metrics
infrastructure
​18.7
Software Version
The kit is designed to target iPhones running iOS versions between iOS 18.4 and 18.7, and is said to have been deployed by a suspected Russian espionage group named UNC6353 in attacks targeting Ukrainian users.
Google said the observed UNC6353 use of DarkSword in December 2025 only supported iOS versions from 18.4 to 18.6, while that attributed to UNC6748 and PARS Defense also targeted iOS devices running version 18.7.
Google, iVerify, and Lookout this week published research concerning "DarkSword," an exploit chain targeting iPhones running iOS versions 18.4 through 18.7.
Metrics
infrastructure
​18.6
Software Version
The exploit chain linked to the newly discovered kit makes use of six different vulnerabilities to deploy three payloads, out of which CVE-2026-20700, CVE-2025-43529, and CVE-2025-14174 were exploited as zero-days, prior to them being patched by Apple: CVE-2025-31277 - Memory corruption vulnerability in JavaScriptCore (Patched in version 18.6) CVE-2026-20700 - User-mode Pointer Authentication Code (PAC) bypass in dyld (Patched in version 26.3) CVE-2025-43529 - Memory corruption vulnerability in JavaScriptCore (Patched in versions 18.7.3 and 26.2) CVE-2025-14174 - Memory corruption vulnerability in ANGLE (Patched in versions 18.7.3 and 26.2) CVE-2025-43510 - Memory management vulnerability in the iOS kernel (Patched in versions 18.7.2 and 26.1) CVE-2025-43520 - Memory corruption vulnerability in the iOS kernel (Patched in versions 18.7.2 and 26.1)
Google said the observed UNC6353 use of DarkSword in December 2025 only supported iOS versions from 18.4 to 18.6, while that attributed to UNC6748 and PARS Defense also targeted iOS devices running version 18.7.
For devices running versions of iOS prior to 18.6, DarkSword uses CVE-2025-31277, a JIT optimization/type confusion bug which was patched by Apple in iOS 18.6.
Metrics
infrastructure
​26.3
Software Version
The exploit chain linked to the newly discovered kit makes use of six different vulnerabilities to deploy three payloads, out of which CVE-2026-20700, CVE-2025-43529, and CVE-2025-14174 were exploited as zero-days, prior to them being patched by Apple: CVE-2025-31277 - Memory corruption vulnerability in JavaScriptCore (Patched in version 18.6) CVE-2026-20700 - User-mode Pointer Authentication Code (PAC) bypass in dyld (Patched in version 26.3) CVE-2025-43529 - Memory corruption vulnerability in JavaScriptCore (Patched in versions 18.7.3 and 26.2) CVE-2025-14174 - Memory corruption vulnerability in ANGLE (Patched in versions 18.7.3 and 26.2) CVE-2025-43510 - Memory management vulnerability in the iOS kernel (Patched in versions 18.7.2 and 26.1) CVE-2025-43520 - Memory corruption vulnerability in the iOS kernel (Patched in versions 18.7.2 and 26.1)
Metrics
infrastructure
​18.7.3
Software Version
The exploit chain linked to the newly discovered kit makes use of six different vulnerabilities to deploy three payloads, out of which CVE-2026-20700, CVE-2025-43529, and CVE-2025-14174 were exploited as zero-days, prior to them being patched by Apple: CVE-2025-31277 - Memory corruption vulnerability in JavaScriptCore (Patched in version 18.6) CVE-2026-20700 - User-mode Pointer Authentication Code (PAC) bypass in dyld (Patched in version 26.3) CVE-2025-43529 - Memory corruption vulnerability in JavaScriptCore (Patched in versions 18.7.3 and 26.2) CVE-2025-14174 - Memory corruption vulnerability in ANGLE (Patched in versions 18.7.3 and 26.2) CVE-2025-43510 - Memory management vulnerability in the iOS kernel (Patched in versions 18.7.2 and 26.1) CVE-2025-43520 - Memory corruption vulnerability in the iOS kernel (Patched in versions 18.7.2 and 26.1)
This vulnerability was reported to Google (the developers of ANGLE) by Apple and GTIG, and was patched in Safari with the release of iOS 18.7.3 and 26.2.
Metrics
infrastructure
​26.2
Software Version
The exploit chain linked to the newly discovered kit makes use of six different vulnerabilities to deploy three payloads, out of which CVE-2026-20700, CVE-2025-43529, and CVE-2025-14174 were exploited as zero-days, prior to them being patched by Apple: CVE-2025-31277 - Memory corruption vulnerability in JavaScriptCore (Patched in version 18.6) CVE-2026-20700 - User-mode Pointer Authentication Code (PAC) bypass in dyld (Patched in version 26.3) CVE-2025-43529 - Memory corruption vulnerability in JavaScriptCore (Patched in versions 18.7.3 and 26.2) CVE-2025-14174 - Memory corruption vulnerability in ANGLE (Patched in versions 18.7.3 and 26.2) CVE-2025-43510 - Memory management vulnerability in the iOS kernel (Patched in versions 18.7.2 and 26.1) CVE-2025-43520 - Memory corruption vulnerability in the iOS kernel (Patched in versions 18.7.2 and 26.1)
This vulnerability was reported to Google (the developers of ANGLE) by Apple and GTIG, and was patched in Safari with the release of iOS 18.7.3 and 26.2.
Metrics
infrastructure
​18.7.2
Software Version
The exploit chain linked to the newly discovered kit makes use of six different vulnerabilities to deploy three payloads, out of which CVE-2026-20700, CVE-2025-43529, and CVE-2025-14174 were exploited as zero-days, prior to them being patched by Apple: CVE-2025-31277 - Memory corruption vulnerability in JavaScriptCore (Patched in version 18.6) CVE-2026-20700 - User-mode Pointer Authentication Code (PAC) bypass in dyld (Patched in version 26.3) CVE-2025-43529 - Memory corruption vulnerability in JavaScriptCore (Patched in versions 18.7.3 and 26.2) CVE-2025-14174 - Memory corruption vulnerability in ANGLE (Patched in versions 18.7.3 and 26.2) CVE-2025-43510 - Memory management vulnerability in the iOS kernel (Patched in versions 18.7.2 and 26.1) CVE-2025-43520 - Memory corruption vulnerability in the iOS kernel (Patched in versions 18.7.2 and 26.1)
Metrics
infrastructure
​26.1
Software Version
The exploit chain linked to the newly discovered kit makes use of six different vulnerabilities to deploy three payloads, out of which CVE-2026-20700, CVE-2025-43529, and CVE-2025-14174 were exploited as zero-days, prior to them being patched by Apple: CVE-2025-31277 - Memory corruption vulnerability in JavaScriptCore (Patched in version 18.6) CVE-2026-20700 - User-mode Pointer Authentication Code (PAC) bypass in dyld (Patched in version 26.3) CVE-2025-43529 - Memory corruption vulnerability in JavaScriptCore (Patched in versions 18.7.3 and 26.2) CVE-2025-14174 - Memory corruption vulnerability in ANGLE (Patched in versions 18.7.3 and 26.2) CVE-2025-43510 - Memory management vulnerability in the iOS kernel (Patched in versions 18.7.2 and 26.1) CVE-2025-43520 - Memory corruption vulnerability in the iOS kernel (Patched in versions 18.7.2 and 26.1)
Metrics
victims
20,700
User Mode
The exploit chain linked to the newly discovered kit makes use of six different vulnerabilities to deploy three payloads, out of which CVE-2026-20700, CVE-2025-43529, and CVE-2025-14174 were exploited as zero-days, prior to them being patched by Apple: CVE-2025-31277 - Memory corruption vulnerability in JavaScriptCore (Patched in version 18.6) CVE-2026-20700 - User-mode Pointer Authentication Code (PAC) bypass in dyld (Patched in version 26.3) CVE-2025-43529 - Memory corruption vulnerability in JavaScriptCore (Patched in versions 18.7.3 and 26.2) CVE-2025-14174 - Memory corruption vulnerability in ANGLE (Patched in versions 18.7.3 and 26.2) CVE-2025-43510 - Memory management vulnerability in the iOS kernel (Patched in versions 18.7.2 and 26.1) CVE-2025-43520 - Memory corruption vulnerability in the iOS kernel (Patched in versions 18.7.2 and 26.1)
Metrics
infrastructure
​18.6.2
Software Version
What made this notable was that the JavaScript was specifically looking for iOS devices running versions between 18.4 and 18.6.2, unlike Coruna, which targeted older iOS versions from 13.0 through 17.2.1.
The combined attacks now likely affect hundreds of millions of unpatched devices running iOS versions from 13 to 18.6.2."
Metrics
infrastructure
​13.0
Software Version
What made this notable was that the JavaScript was specifically looking for iOS devices running versions between 18.4 and 18.6.2, unlike Coruna, which targeted older iOS versions from 13.0 through 17.2.1.
Metrics
infrastructure
​17.2.1
Software Version
What made this notable was that the JavaScript was specifically looking for iOS devices running versions between 18.4 and 18.6.2, unlike Coruna, which targeted older iOS versions from 13.0 through 17.2.1.
Metrics
infrastructure
​17.4.1
Software Version
" Further analysis of the JavaScript files used in DarkSword has been found to contain references to iOS versions 17.4.1 and 17.5.1, indicating that the kit was ported from a previous version targeting older versions of the operating system.
Metrics
infrastructure
​17.5.1
Software Version
" Further analysis of the JavaScript files used in DarkSword has been found to contain references to iOS versions 17.4.1 and 17.5.1, indicating that the kit was ported from a previous version targeting older versions of the operating system.
Metrics
infrastructure
​18.7.6
Software Version
Although all vulnerabilities have been addressed by software updates — iPhone users should update to iOS 18.7.6 or iOS 26.3.1 — iVerify estimated that more than 200 million users may still be vulnerable.
Metrics
infrastructure
​26.3.1
Software Version
Although all vulnerabilities have been addressed by software updates — iPhone users should update to iOS 18.7.6 or iOS 26.3.1 — iVerify estimated that more than 200 million users may still be vulnerable.
iPhone users are recommended to upgrade to iOS 26.3.1 (latest), released earlier this month, and enable Lockdown Mode if at high risk of being targeted by malware.
Metrics
victims
200,000,000
Users
Although all vulnerabilities have been addressed by software updates — iPhone users should update to iOS 18.7.6 or iOS 26.3.1 — iVerify estimated that more than 200 million users may still be vulnerable.
Metrics
infrastructure
18
Iphones
DarkSword targets iPhones running iOS 18.4 through 18.7 and is linked to multiple actors, including UNC6353, suspected to be Russian, who used the  Coruna exploit chain disclosed earlier this month.
GTIG says that in late November 2025, DarkSword was used in Turkey, in activity associated with PARS Defense, a Turkish commercial surveillance vendor, on devices running  iOS 18.4-18.7.
Metrics
infrastructure
19
Devices
GTIG says that in late November 2025, DarkSword was used in Turkey, in activity associated with PARS Defense, a Turkish commercial surveillance vendor, on devices running  iOS 18.4-18.7.
Metrics
infrastructure
19
Devices
For devices running iOS 18.6-18.7, DarkSword uses CVE-2025-43529, a garbage collection bug in the Data Flow Graph (DFG) JIT layer of JavaScriptCore which was patched by Apple in iOS 18.7.3 and 26.2 after it was reported by GTIG.
Intelligence Sources
The Hacker News 2026-03-19
Dark Reading 2026-03-18
BleepingComputer 2026-03-18
Mandiant 2026-03-18