Sophisticated "DarkSword" iOS Exploit Chain Used in Targeted Attacks by Multiple Threat Actors
"DarkSword" iOS Exploit Chain Actively Used by Spyware Vendors and State Actors
Related Entities
Threat Actors
Organizations
Products & Tech
Other
CVE Identifiers
Full Report
Executive Summary
Google's Threat Analysis Group (TAG) has detailed a potent, full-chain iOS exploit named DarkSword, which is being actively used in the wild by a diverse set of threat actors. This includes commercial surveillance vendors and suspected state-sponsored espionage groups. The exploit chain combines six distinct vulnerabilities to compromise iPhones running iOS 18.4 through 18.7, allowing for the deployment of a powerful spyware payload called Ghostblade. The attack can be initiated through a simple 'drive-by' method, where a target visits a malicious website. The proliferation of such a powerful exploit chain beyond a single elite actor signifies a dangerous commoditization of advanced mobile surveillance tools, posing a significant risk to high-value targets globally.
Vulnerability Details
DarkSword is a complex exploit chain, not a single vulnerability. It links together six different zero-day or n-day vulnerabilities to move from the sandboxed Safari browser to achieving full control over the underlying operating system. Two of the key vulnerabilities mentioned are:
- CVE-2026-20700: A Pointer Authentication Code (PAC) bypass vulnerability. PAC is a critical hardware-level security feature on modern iPhones designed to prevent attackers from modifying pointers in memory to execute arbitrary code. Bypassing it is a significant step in gaining code execution.
- CVE-2025-43529: A garbage collection bug in JavaScriptCore, Safari's JavaScript engine. This type of memory corruption bug is often used to gain initial code execution within the browser's sandboxed process.
The full chain likely involves additional vulnerabilities for sandbox escape and privilege escalation to the root level.
Affected Systems
- Product: Apple iPhones
- Affected Versions: iOS 18.4 through iOS 18.7
Apple has since patched these vulnerabilities in more recent iOS updates. Users running older versions remain vulnerable.
Exploitation Status
This exploit chain is actively being exploited in the wild. Google TAG has observed multiple, separate campaigns using DarkSword since at least November 2025. The targets are located in Saudi Arabia, Turkey, Malaysia, and Ukraine. The users of the exploit include:
- Commercial surveillance vendors (spyware-for-hire companies).
- A suspected Russian state-sponsored group tracked as UNC6353, which used it against Ukrainian targets.
This indicates that the exploit is not exclusive to one group but is being sold or shared among different malicious actors.
Impact Assessment
A successful DarkSword attack results in a full device compromise, allowing the attacker to deploy the Ghostblade spyware payload. This payload has extensive data exfiltration capabilities, including:
- Device identifiers (IMEI, UDID)
- SMS messages, iMessages, and call history
- Contacts and calendar data
- Precise location data
- Wi-Fi passwords
- Data from secure applications like Telegram, WhatsApp, and various cryptocurrency wallets.
The impact on a targeted individual is a total loss of privacy and security. For an organization, a compromised device belonging to a key executive can lead to the leakage of strategic plans, intellectual property, and other highly confidential information.
Cyber Observables for Detection
Detecting on-device iOS malware is notoriously difficult for end-users. For security teams with Mobile Threat Defense (MTD) solutions, observables include:
/private/var/Detection Methods
- Mobile Threat Defense (MTD): Organizations with high-value users should deploy MTD solutions on their iPhones. These tools can detect suspicious processes, network connections, and system-level changes indicative of a compromise.
- Network-Level Monitoring: Monitor network traffic from mobile devices for connections to suspicious domains or IP addresses provided by threat intelligence feeds.
- Forensic Analysis: If a compromise is suspected, a full forensic analysis of the device (e.g., a file system extraction) is required to confirm the presence of spyware like Ghostblade.
Remediation Steps
- Update Immediately: The most critical step is for all users to update their iPhones to the latest version of iOS. Apple has patched the vulnerabilities used in the DarkSword chain. This is the primary defense, as per D3FEND's
Software Update(D3-SU). - Enable Lockdown Mode: For users at high risk of targeted attacks (journalists, activists, government officials), Apple's Lockdown Mode should be enabled. This feature significantly reduces the attack surface of the device by disabling features commonly exploited by spyware, such as complex web technologies in Safari.
- Reboot Regularly: While not a complete solution, regularly rebooting an iPhone can sometimes remove non-persistent spyware payloads, forcing the attacker to re-exploit the device.
Timeline of Events
MITRE ATT&CK Mitigations
Update Software
Keeping iOS updated to the latest version is the most critical mitigation, as Apple patches the vulnerabilities used in these chains.
iOS's sandboxing is the primary defense that exploit chains like DarkSword must defeat. While users can't control it, its presence forces attackers to use multiple, complex exploits, increasing the chance of failure or detection.
Enabling Apple's Lockdown Mode is a user-configurable mitigation that hardens the device by reducing its attack surface.
D3FEND Defensive Countermeasures
The single most effective defense against exploit chains like DarkSword is to ensure all iPhones are running the latest version of iOS. Apple's security team works to patch the vulnerabilities (like CVE-2026-20700 and CVE-2025-43529) that comprise these chains. Organizations should enforce a policy via their Mobile Device Management (MDM) solution that requires devices to be updated within a short timeframe after a new iOS version is released. For end-users, enabling automatic updates is crucial. Since exploit chains are often built on vulnerabilities present in older OS versions, maintaining up-to-date software is a simple, non-negotiable step that invalidates the attacker's primary weapon.
For individuals at high risk of being targeted by sophisticated spyware (e.g., journalists, activists, senior executives, government officials), enabling Apple's Lockdown Mode is a critical hardening measure. This feature, available in recent iOS versions, drastically reduces the device's attack surface. It disables complex web technologies in Safari (like Just-In-Time JavaScript compilation, which is often targeted by exploits), blocks certain message attachment types, and restricts other features. While it may limit some functionality, Lockdown Mode provides a powerful defense against the zero-click and one-click exploits used by commercial spyware vendors and state actors. It is a targeted countermeasure designed specifically to defeat attacks like DarkSword.
While on-device detection is difficult, organizations can detect compromised iPhones by analyzing their network traffic. All network traffic from corporate mobile devices should be routed through a central proxy or VPN where it can be inspected. Security teams should monitor for connections to known malicious C2 servers associated with spyware vendors. Threat intelligence feeds often provide lists of such domains and IPs. Additionally, using network behavioral analysis to look for anomalies, such as a device suddenly sending small, encrypted 'heartbeat' packets to an unknown server at regular intervals, can be an effective way to uncover a hidden spyware infection like Ghostblade.
Timeline of Events
Google TAG first observes the DarkSword exploit chain being used in targeted attacks.
Sources & References
Article Author
Jason Gomes
• Cybersecurity PractitionerCybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Tags
📢 Share This Article
Help others stay informed about cybersecurity threats
🎯 MITRE ATT&CK Mapped
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
🧠 Enriched & Analyzed
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
🛡️ Actionable Guidance
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
🔗 STIX Visualizer
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
⚡ Sigma Generator
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.