Executive Summary

Google's Threat Analysis Group (TAG) has detailed a potent, full-chain iOS exploit named DarkSword, which is being actively used in the wild by a diverse set of threat actors. This includes commercial surveillance vendors and suspected state-sponsored espionage groups. The exploit chain combines six distinct vulnerabilities to compromise iPhones running iOS 18.4 through 18.7, allowing for the deployment of a powerful spyware payload called Ghostblade. The attack can be initiated through a simple 'drive-by' method, where a target visits a malicious website. The proliferation of such a powerful exploit chain beyond a single elite actor signifies a dangerous commoditization of advanced mobile surveillance tools, posing a significant risk to high-value targets globally.

Vulnerability Details

DarkSword is a complex exploit chain, not a single vulnerability. It links together six different zero-day or n-day vulnerabilities to move from the sandboxed Safari browser to achieving full control over the underlying operating system. Two of the key vulnerabilities mentioned are:

• CVE-2026-20700: A Pointer Authentication Code (PAC) bypass vulnerability. PAC is a critical hardware-level security feature on modern iPhones designed to prevent attackers from modifying pointers in memory to execute arbitrary code. Bypassing it is a significant step in gaining code execution.
• CVE-2025-43529: A garbage collection bug in JavaScriptCore, Safari's JavaScript engine. This type of memory corruption bug is often used to gain initial code execution within the browser's sandboxed process.

The full chain likely involves additional vulnerabilities for sandbox escape and privilege escalation to the root level.

Affected Systems

• Product: Apple iPhones
• Affected Versions: iOS 18.4 through iOS 18.7

Apple has since patched these vulnerabilities in more recent iOS updates. Users running older versions remain vulnerable.

Exploitation Status

This exploit chain is actively being exploited in the wild. Google TAG has observed multiple, separate campaigns using DarkSword since at least November 2025. The targets are located in Saudi Arabia, Turkey, Malaysia, and Ukraine. The users of the exploit include:

• Commercial surveillance vendors (spyware-for-hire companies).
• A suspected Russian state-sponsored group tracked as UNC6353, which used it against Ukrainian targets.

This indicates that the exploit is not exclusive to one group but is being sold or shared among different malicious actors.

Impact Assessment

A successful DarkSword attack results in a full device compromise, allowing the attacker to deploy the Ghostblade spyware payload. This payload has extensive data exfiltration capabilities, including:

• Device identifiers (IMEI, UDID)
• SMS messages, iMessages, and call history
• Contacts and calendar data
• Precise location data
• Wi-Fi passwords
• Data from secure applications like Telegram, WhatsApp, and various cryptocurrency wallets.

The impact on a targeted individual is a total loss of privacy and security. For an organization, a compromised device belonging to a key executive can lead to the leakage of strategic plans, intellectual property, and other highly confidential information.

Cyber Observables for Detection

Detecting on-device iOS malware is notoriously difficult for end-users. For security teams with Mobile Threat Defense (MTD) solutions, observables include:

Detection Methods

1. Mobile Threat Defense (MTD): Organizations with high-value users should deploy MTD solutions on their iPhones. These tools can detect suspicious processes, network connections, and system-level changes indicative of a compromise.
2. Network-Level Monitoring: Monitor network traffic from mobile devices for connections to suspicious domains or IP addresses provided by threat intelligence feeds.
3. Forensic Analysis: If a compromise is suspected, a full forensic analysis of the device (e.g., a file system extraction) is required to confirm the presence of spyware like Ghostblade.

Remediation Steps

1. Update Immediately: The most critical step is for all users to update their iPhones to the latest version of iOS. Apple has patched the vulnerabilities used in the DarkSword chain. This is the primary defense, as per D3FEND's Software Update (D3-SU).
2. Enable Lockdown Mode: For users at high risk of targeted attacks (journalists, activists, government officials), Apple's Lockdown Mode should be enabled. This feature significantly reduces the attack surface of the device by disabling features commonly exploited by spyware, such as complex web technologies in Safari.
3. Reboot Regularly: While not a complete solution, regularly rebooting an iPhone can sometimes remove non-persistent spyware payloads, forcing the attacker to re-exploit the device.