Ddos 
Timeline of DarkSword observations and vulnerability patches | Image: GTIG
In a comprehensive technical disclosure, the Google Threat Intelligence Group (GTIG) has revealed the existence of a highly sophisticated iOS full-chain exploit dubbed DarkSword. Active since at least November 2025, the exploit kit has been weaponized by a diverse array of commercial surveillance vendors and state-sponsored actors to achieve total device compromise across multiple continents.
DarkSword was not limited to a single region or objective. GTIG researchers observed the exploit chain being deployed in distinct campaigns targeting individuals in Saudi Arabia, Turkey, Malaysia, and Ukraine.
The versatility of the kit is evidenced by its wide support for iOS versions 18.4 through 18.7. By leveraging a complex sequence of six different vulnerabilities, attackers were able to bypass the platform’s robust security layers to deploy final-stage spyware.
| Exploit Module | CVE | Description | Exploited as a Zero-Day | Patched in iOS Version(s) |
| rce_module.js | CVE-2025-31277 | Memory corruption vulnerability in JavaScriptCore | No | 18.6 |
| rce_worker_18.4.js | CVE-2026-20700 | User-mode Pointer Authentication Code (PAC) bypass inΒ dyld |
Yes | 26.3 |
| rce_worker_18.6.js
rce_worker_18.7.js |
CVE-2025-43529 | Memory corruption vulnerability in JavaScriptCore | Yes | 18.7.3, 26.2 |
| CVE-2026-20700 | User-mode Pointer Authentication Code (PAC) bypass inΒ dyld |
Yes | 26.3 | |
| sbox0_main_18.4.js
sbx0_main.js |
CVE-2025-14174 | Memory corruption vulnerability in ANGLE | Yes | 18.7.3, 26.2 |
| sbx1_main.js | CVE-2025-43510 | Memory management vulnerability in the iOS kernel | No | 18.7.2, 26.1 |
| pe_main.js | CVE-2025-43520 | Memory corruption vulnerability in the iOS kernel | No | 18.7.2, 26.1 |
“The proliferation of this single exploit chain across disparate threat actors mirrors the previously discovered Coruna iOS exploit kit. Notably, UNC6353, a suspected Russian espionage group previously observed using Coruna, has recently incorporated DarkSword into their watering hole campaigns.”
DarkSword is a masterclass in exploit engineering, utilizing a “full-chain” approach to move from initial web-based contact to kernel-level execution. Once a victim is lured to a compromised site or “watering hole,” the engine executes a series of maneuvers to strip away the device’s defenses.
Following a successful compromise, researchers identified three distinct malware families that could be delivered:
- GHOSTBLADE
- GHOSTKNIFE
- GHOSTSABER
These payloads are designed for deep-level surveillance, capable of exfiltrating encrypted messages, monitoring real-time locations, and accessing the device’s microphone and camera.
One of the most concerning findings in the report is the shared toolmarks discovered within the recovered payloads. This suggests that while different actors are pulling the trigger, they are often buying their ammunition from the same “commercial surveillance vendors.”
“GTIG reported the vulnerabilities used in DarkSword to Apple in late 2025, and all vulnerabilities were patched with the release of iOS 26.3.”
The shift toward these modular, “off-the-shelf” exploit kits allows less-sophisticated actors to wield nation-state-level power, significantly complicating the task of attribution and defense.
To protect your mobile fleet, security experts recommend:
- Immediate Updates: Ensure all iOS devices are updated to version 26.3 or later.
- Enable Lockdown Mode: For high-risk individuals, Appleβs “Lockdown Mode” provides extreme protections that can block most complex web-based exploit chains.
- App Hygiene: Avoid clicking links in unsolicited messages or visiting niche forums that may serve as watering holes for targeted groups.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
