DarkSword iOS Exploit Kit Leverages 6 Vulnerabilities, Including 3 Zero-Days, for Comprehensive Device Compromise
A newly identified exploit kit targeting Apple iOS devices, known as DarkSword, has emerged as a significant threat since late 2025. This sophisticated toolkit is reportedly being utilized by various threat actors, including commercial surveillance vendors and suspected state-sponsored groups, to extract sensitive data from users in regions such as Saudi Arabia, Turkey, Malaysia, and Ukraine. The implications of this exploit kit extend beyond individual privacy concerns, raising alarms about the security landscape for mobile devices globally.
Emergence of DarkSword in Cyber Threat Landscape
The Google Threat Intelligence Group (GTIG) has reported that DarkSword is the second iOS exploit kit discovered within a month, following the earlier identification of Coruna. Designed to target iPhones operating on iOS versions 18.4 to 18.7, DarkSword has been linked to a suspected Russian espionage group known as UNC6353, which has been actively deploying this exploit kit against Ukrainian users. The use of such advanced exploit kits indicates a troubling trend in the proliferation of cyber threats that leverage sophisticated vulnerabilities for data theft.
The exploit kit is engineered to facilitate complete access to a victim’s device with minimal user interaction. This capability underscores the existence of a secondary market for exploits, allowing less resourceful threat groups to acquire high-quality tools for their malicious activities.
Technical Breakdown of DarkSword
DarkSword operates by exploiting six distinct vulnerabilities, three of which are classified as zero-days—meaning they were actively exploited before being patched by Apple. The vulnerabilities exploited include:
- CVE-2025-31277: A memory corruption vulnerability in JavaScriptCore, patched in version 18.6.
- CVE-2026-20700: A user-mode Pointer Authentication Code (PAC) bypass in dyld, patched in version 26.3.
- CVE-2025-43529: Another memory corruption vulnerability in JavaScriptCore, patched in versions 18.7.3 and 26.2.
- CVE-2025-14174: A memory corruption vulnerability in ANGLE, also patched in versions 18.7.3 and 26.2.
- CVE-2025-43510: A memory management vulnerability in the iOS kernel, patched in versions 18.7.2 and 26.1.
- CVE-2025-43520: A memory corruption vulnerability in the iOS kernel, patched in versions 18.7.2 and 26.1.
The exploitation process begins when a user visits a compromised website via Safari, which embeds an iFrame containing malicious JavaScript. This JavaScript is designed to fingerprint devices and determine whether they should be routed to the iOS exploit chain. Once activated, DarkSword can escape the confines of the WebContent sandbox, leveraging WebGPU to inject into mediaplaybackd, a system daemon responsible for media playback functions.
Data Exfiltration and Impact
Once the exploit chain is successfully executed, the malware, referred to as GHOSTBLADE, gains access to privileged processes and restricted areas of the file system. The orchestrator module then loads additional components designed to harvest sensitive data, including:
- Emails
- iCloud Drive files
- Contacts
- SMS messages
- Browsing history and cookies
- Cryptocurrency wallet data
- Usernames and passwords
- Photos and call history
- Wi-Fi configurations
- Location history
The malware’s design suggests a “hit-and-run” approach, where it quickly collects and exfiltrates data before cleaning up any traces of its activity. This rapid data extraction minimizes the risk of detection and enhances the effectiveness of the attack.
Broader Implications and Threat Actor Profiles
The proliferation of exploit chains like DarkSword and Coruna highlights the ongoing risk of exploit availability across various actors with differing motivations. The use of these exploit kits suggests that even less sophisticated threat actors can access powerful tools for cyber espionage and data theft.
The group UNC6353 is believed to be less technically sophisticated but well-funded, indicating a potential alignment with Russian intelligence objectives. The lack of obfuscation in DarkSword’s code and its straightforward design may suggest either a lack of engineering resources or a disregard for operational security measures.
DarkSword has also been linked to other threat actors, including UNC6748, which targeted Saudi Arabian users through a Snapchat-themed website, and PARS Defense, a Turkish commercial surveillance vendor that utilized DarkSword to deliver a JavaScript backdoor for data exfiltration.
Conclusion
The emergence of DarkSword underscores the evolving landscape of mobile cybersecurity threats. With its ability to exploit multiple vulnerabilities and facilitate comprehensive data theft, this exploit kit poses a significant risk to users of iOS devices. The ongoing development and deployment of such sophisticated tools highlight the need for heightened vigilance and robust security measures among users and organizations alike.
According to publicly available reporting, the implications of these developments raise critical questions about the accessibility and market for iOS exploits, particularly for financially motivated actors.
Follow the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
