iPhones Under Attack: DarkSword Exploit Chain Enables Silent, Full Device Compromise

CyberDefender 14 mins0

Over the past few years, mobile threats have become more advanced, more targeted, and much harder to detect. One recent discovery clearly shows how far attackers have come. A newly identified iOS exploit chain, now known as DarkSword, demonstrates how multiple vulnerabilities can be combined to silently take full control of a device.

This exploit chain was uncovered by Google’s Threat Intelligence Group (GTIG), and what makes it particularly concerning is not just its technical complexity, but how widely it is being used. Since late 2025, different surveillance vendors and suspected government-backed groups have been observed using the same framework in separate campaigns across different countries.

Infection Chain, Source : Google

The affected regions include Saudi Arabia, Turkey, Malaysia, and Ukraine. In each case, the attackers used slightly different methods, but the core exploit remained the same.

What is DarkSword?

DarkSword is not a single vulnerability or malware. Instead, it is a full exploit chain designed to compromise iPhones running iOS versions between 18.4 and 18.7. It relies on six different vulnerabilities, including several zero-days, to move step by step from a simple web interaction to complete system control.

Once the device is compromised, attackers deploy one of several malware families:

  • GHOSTKNIFE
  • GHOSTSABER
  • GHOSTBLADE

Each of these tools is designed for surveillance and data collection, but they differ in how they operate and how much control they provide.

Interestingly, the spread of DarkSword across multiple actors looks very similar to an earlier exploit kit called Coruna. This suggests a growing pattern where advanced exploit frameworks are reused across different groups instead of being built from scratch each time.

How the Attack Works

At a high level, the attack follows a structured path. It usually begins with a malicious website or a compromised page. When a victim visits the page, hidden scripts start running in the background.

The process looks something like this:

First, a small piece of JavaScript checks the device and prepares the environment. Then, it loads additional components through hidden iframes. These components bring in the main exploit loader.

The loader then fetches remote code execution (RCE) exploits from the attacker’s server. Depending on the iOS version, different exploit files are used. Once execution is achieved, the attack moves through sandbox escapes and privilege escalation stages.

Eventually, the attacker gains kernel-level access, which means full control over the device.

Case Study 1: Saudi Arabia Campaign (UNC6748)

One of the earliest observed campaigns involved a threat group labeled UNC6748. They targeted users in Saudi Arabia using a fake Snapchat-themed website.

The attack page was carefully designed. It used obfuscated JavaScript and created hidden frames to load the exploit in stages. A session storage key called “uid” was used to ensure the same user was not infected multiple times.

Another interesting detail is how the attackers forced users into Safari. If a user opened the page in Chrome, the script redirected them using a special protocol so the exploit could run properly.

Over time, the attackers updated their code. They added anti-debugging techniques and improved obfuscation, making analysis more difficult.

The final payload used in this campaign was GHOSTKNIFE.

GHOSTKNIFE Malware Overview

GHOSTKNIFE is a powerful surveillance tool written in JavaScript. It is capable of collecting a wide range of data, including:

  • Messages and communication records
  • Account information
  • Browser activity
  • Location data
  • Audio recordings

It can also download files from its command server, capture screenshots, and record microphone input.

To avoid detection, it regularly deletes crash logs from the system. It also stores stolen data in temporary directories before sending it to its control server.

Communication is encrypted using a combination of ECDH and AES, which makes it harder to intercept.

Case Study 2: Turkey and Malaysia (PARS Defense)

Another set of campaigns was linked to a commercial surveillance vendor known as PARS Defense.

Compared to UNC6748, this group showed better operational security. Their exploit loader was more refined and included encryption for communication between the victim and the server.

They also added more advanced device fingerprinting checks. This helped them avoid wasting exploits on unsupported devices.

In Malaysia, a slightly different version of the loader was used. It included additional checks and fallback redirection logic.

The malware used in these campaigns was GHOSTSABER.

GHOSTSABER Malware Overview

GHOSTSABER works as a backdoor. It communicates with a remote server and executes commands sent by the attacker.

Its capabilities include:

  • Collecting device information
  • Listing installed apps
  • Extracting files
  • Running SQL queries
  • Executing arbitrary JavaScript

Some commands in the code appear incomplete, suggesting that additional modules can be downloaded later to extend its functionality.

Case Study 3: Ukraine Watering Hole Attack (UNC6353)

In Ukraine, a different group called UNC6353 used DarkSword in watering hole attacks. Instead of creating fake websites, they compromised real ones and inserted malicious scripts.

When users visited these sites, a hidden iframe was loaded, which triggered the exploit chain.

Unlike earlier campaigns, this version only supported iOS 18.4 to 18.6. However, the exploit loader was more stable and correctly matched the exploit to the device version.

The payload used here was GHOSTBLADE.

GHOSTBLADE Malware Overview

GHOSTBLADE is mainly focused on collecting data rather than maintaining long-term access.

It gathers:

  • Messages from apps like WhatsApp and Telegram
  • Contact lists and call logs
  • Photos and files
  • Location history
  • Browser data
  • Even cryptocurrency wallet information

After collecting this data, it sends everything to a remote server.

Like GHOSTKNIFE, it also deletes logs to hide its activity. However, it does not appear to run continuously or support additional modules.

Technical Details of the Exploit Chain

DarkSword uses six vulnerabilities to complete the attack. These include issues in:

  • JavaScriptCore (used in Safari)
  • The dyld component (for PAC bypass)
  • ANGLE (GPU-related processing)
  • The iOS kernel

The attack moves through multiple stages:

  • Remote code execution
  • Escaping browser sandbox
  • Escaping GPU restrictions
  • Gaining kernel-level privileges

One interesting aspect is that the entire chain is written in JavaScript. This removes the need for traditional binary payloads and allows the exploit to run entirely within a web environment.

Patching and Mitigation

GTIG reported these vulnerabilities to Apple in late 2025. Most of them were fixed in earlier updates, and all were fully patched by iOS 26.3.

To stay protected:

  • Users should update to the latest iOS version
  • High-risk individuals should enable Lockdown Mode
  • Suspicious domains should be blocked or monitored

Indicators of Compromise

Some known infrastructure linked to these attacks includes:

  • snapshare[.]chat
  • sahibndn[.]io
  • e5.malaymoil[.]com
  • static.cdncounter[.]net
  • sqwas.shapelie[.]com

These domains were used for delivering exploits or collecting stolen data.

Our Analysis and Opinion

Looking at the DarkSword case, it becomes clear that the landscape of mobile exploitation is changing rapidly. What stands out is not only the technical depth of the exploit chain but also how widely it is being reused. This is no longer a situation where each attacker builds their own tools from scratch. Instead, we are seeing the rise of shared exploit ecosystems, where one advanced framework can be adapted by many different groups.

This shift has serious implications. When a single exploit chain is reused across different actors, it becomes much harder to attribute attacks. The same tool can appear in completely unrelated campaigns, making it difficult for defenders to understand who is behind an operation. This blurs the line between state-sponsored activity and commercial surveillance.

Another important point is the use of JavaScript for the entire exploit process. Traditionally, high-end exploits relied heavily on native code. Here, attackers are achieving full system compromise using a language that is widely understood and easy to modify. This could lower the barrier for future attackers and lead to faster development cycles.

The targeting pattern also suggests that these operations are not random. The focus on specific regions indicates a level of planning and intent that goes beyond ordinary cybercrime. These are likely intelligence-driven campaigns aimed at monitoring individuals or organizations of interest.

Finally, the use of multiple zero-day vulnerabilities in a single chain shows the level of investment behind these attacks. Discovering and exploiting even one zero-day is expensive. Combining several of them into a reliable chain requires significant expertise and resources.

Overall, DarkSword represents a shift toward scalable and reusable cyber-espionage tools. If this trend continues, defenders will face increasing challenges, as advanced capabilities become more accessible and harder to track.

CyberDefender