Multiple Threat Actors Exploit Six Vulnerabilities in iOS with DarkSword Kit
A recent cybersecurity development has unveiled a sophisticated exploit kit named DarkSword, which poses a significant threat to iOS devices. This exploit allows attackers to extract sensitive data from compromised iPhones running iOS versions 18.4 to 18.6.2 with minimal user interaction. A single page load on a compromised Ukrainian government website can lead to the theft of messages, photos, passwords, and even cryptocurrency wallet keys, all while erasing traces of the intrusion within minutes.
The Spread of DarkSword
DarkSword has reportedly spread to at least four countries, raising alarms among cybersecurity experts. On Wednesday, the Google Threat Intelligence Group (GTIG), along with mobile security firm Lookout and device integrity company iVerify, published coordinated research detailing this new iOS full-chain exploit kit. The name “DarkSword” is derived from a variable found within the malware’s code: const TAG = "DarkSword-WIFI-DUMP". The collaboration among these organizations has painted a concerning picture of the exploit’s capabilities and reach.
DarkSword’s Deployment and Targeting
GTIG has tracked DarkSword deployments since November 2025, identifying various threat actors, including commercial surveillance vendors and suspected state-sponsored groups. These actors have utilized the same exploit chain against targets in Saudi Arabia, Turkey, Malaysia, and Ukraine. The exploit leverages six vulnerabilities across iOS versions 18.4 to 18.7, all of which have been patched in iOS 26.3, although many were addressed in earlier updates. Apple was alerted to these vulnerabilities by GTIG in late 2025.
Analyzing the Exploit Chain
The entry point for the DarkSword exploit chain is found within two compromised websites: novosti[.]dn[.]ua, a news portal, and 7aac[.]gov[.]ua, a Ukrainian government domain. Both sites contained an invisible malicious iframe that loaded exploit code from a server located in Estonia. This server was configured to deliver payloads exclusively to devices with Ukrainian IP addresses, a tactic that minimizes exposure and complicates detection efforts.
Once the iframe is loaded in Safari, DarkSword executes a multi-stage attack entirely in JavaScript. This design choice is significant because it avoids traditional malware artifacts that endpoint detection systems typically scan for, making it harder to identify.
The exploit breaks out of WebKit’s WebContent sandbox and uses WebGPU to inject into a background media process known as mediaplaybackd. From there, it establishes arbitrary kernel read-write access, lifting sandbox restrictions across critical processes such as configd, wifid, securityd, and UserEventAgent.
The orchestrator of the final payload, pe_main.js, injects targeted data-theft modules into these processes, staging the collected data in accessible filesystem locations before exfiltrating it to a command-and-control server. The entire operation is executed within minutes, leaving no trace of the intrusion.
The Extent of Data Theft
DarkSword is capable of stealing a wide range of data from compromised devices. This includes SMS and iMessage content, call history, address book entries, WiFi passwords, Safari browsing history, location history, health data, photos, iCloud Drive contents, emails, saved passwords, and the complete list of installed applications. Notably, DarkSword also targets cryptocurrency wallets, including those from Coinbase, Binance, Kraken, Kucoin, Ledger, Trezor, MetaMask, and Exodus. This focus on cryptocurrency indicates a financially motivated aspect of the threat actor’s operations, diverging from traditional cyber espionage.
The Vulnerabilities Behind DarkSword
The effectiveness of DarkSword stems from its exploitation of six distinct vulnerabilities across various layers of iOS. The initial stage of the exploit leverages two memory corruption vulnerabilities in JavaScriptCore, the engine that powers WebKit and Safari. The first vulnerability, CVE-2025-31277, was observed in early DarkSword deployments targeting iOS 18.4 and 18.5. A second vulnerability, CVE-2025-43529, was introduced in later iterations targeting iOS 18.6, providing operators with redundant entry points.
In conjunction with these remote code execution exploits, DarkSword exploits CVE-2026-20700, a Pointer Authentication Code (PAC) bypass in dyld, the dynamic linker responsible for loading code into Apple processes. Bypassing PAC is crucial for gaining deeper access to the device. The remaining vulnerabilities facilitate sandbox escape and privilege escalation, ultimately granting unrestricted kernel access across the device.
Apple has addressed these vulnerabilities incrementally, with CVE-2025-31277 and CVE-2025-43529 patched in iOS 26.1 and 26.2, respectively. The remaining vulnerabilities were resolved in iOS 26.3. The final patch for all six vulnerabilities was included in iOS 18.7.3 for devices on the iOS 18 branch. This timeline indicates a window of approximately four months during which the full exploit chain was operational against unpatched devices.
The Evolution of DarkSword
An analysis by Lookout has revealed connections between DarkSword and prior campaigns. The delivery domain cdncounter[.]net shares characteristics with uacounter[.]com, a domain previously associated with UNC6353, a suspected Russian espionage group that also employed the earlier Coruna iOS exploit kit against Ukrainian targets. The same Ukrainian government domain that hosted DarkSword delivery code had previously distributed Coruna. This suggests that UNC6353 has incorporated DarkSword into its toolkit for watering hole campaigns.
The findings across multiple research publications highlight not just individual vulnerabilities but also the broader implications of DarkSword’s proliferation among various threat actors. Code comments in Russian appear in the early infrastructure stages, while subsequent exploit stages are written in English, indicating a tool developed by one entity and sold or transferred to multiple buyers. References to earlier iOS versions suggest an ongoing commercial development and distribution pipeline.
Lookout posits that the threat actor likely gained access to an exploit and post-exploitation toolkit developed by a third party. The nation-state-grade iOS zero-day chains, once thought to be exclusive to Tier 1 commercial surveillance vendors, are now circulating in a secondary market accessible to actors with fewer resources and mixed motivations, including financial crime.
Devices running iOS 18.7.3 or iOS 26.3 and later are not vulnerable to DarkSword. Google has added DarkSword delivery domains to its Safe Browsing service. For devices that cannot be updated immediately, Apple’s Lockdown Mode offers a way to reduce the available attack surface.
According to publicly available thecyberexpress.com reporting, the implications of DarkSword extend beyond individual users to the broader cybersecurity landscape, emphasizing the need for vigilance and proactive measures in safeguarding sensitive information.
Follow the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East: Middle East
