CRITICAL: DarkSword iOS Exploit Kit Turning iPhones Into Intelligence Goldmines
Sophisticated iOS exploit kit chains six vulnerabilities including three zero-days to achieve complete device takeover. Multiple threat actors including Russian espionage groups and commercial surveillance vendors observed using DarkSword against targets in Ukraine, Saudi Arabia, and Turkey.
Executive Summary
Google Threat Intelligence Group, iVerify, and Lookout have confirmed DarkSword, a sophisticated iOS exploit kit chaining six vulnerabilities (three zero-days) for complete device takeover. Active since November 2025, the kit uses a "hit and run" approach—breaking in, exfiltrating data in under a minute, and erasing traces. Multiple threat actors including Russian APT UNC6353 and Turkish surveillance vendor PARS Defense have deployed it.
Vulnerability Details
| CVE | Component | Description |
|---|---|---|
| CVE-2025-31277 | JavaScriptCore | Memory corruption for initial RCE |
| CVE-2025-43529 | JavaScriptCore | Alternative memory corruption path |
| CVE-2026-20700 | dyld | Pointer Authentication Code bypass |
| CVE-2025-14174 | ANGLE/GPU | WebContent sandbox escape |
| CVE-2025-43510 | mediaplaybackd | Privilege escalation pivot |
| CVE-2025-43520 | Kernel | Memory corruption for arbitrary r/w |
Technical Analysis
DarkSword targets iOS versions 18.4 through 18.7. The attack begins when a user visits a compromised website through Safari. An embedded iFrame fingerprints the device, and if vulnerable, the JavaScript exploit chain activates.
The chain achieves initial code execution via JavaScriptCore memory corruption, bypasses Pointer Authentication Code protections in dyld, escapes the WebContent sandbox through the GPU process, pivots through mediaplaybackd, and finally exploits a kernel flaw for arbitrary read/write with elevated privileges.
The GHOSTBLADE dataminer component harvests emails, iCloud Drive files, contacts, SMS, Safari history and passwords, cryptocurrency wallet data, photos, call history, WiFi passwords, location history, calendar, Notes, Health data, and Telegram/WhatsApp messages. Exfiltration completes in under a minute before cleanup.
Threat Actors
UNC6353 (suspected Russian) targeted Ukrainian users via watering hole attacks on compromised Ukrainian websites. UNC6748 targeted Saudi Arabian users through a Snapchat-themed lure in November 2025. PARS Defense (Turkish commercial surveillance vendor) deployed DarkSword with GHOSTSABER backdoor.
Remediation Steps
Update to iOS 18.7.3, 26.2, or 26.3 immediately. Configure MDM solutions to enforce timely updates. Implement web filtering for known malicious infrastructure. Monitor for anomalous device behavior. Organizations in Ukraine, Saudi Arabia, Turkey, and Malaysia should be especially vigilant.
References
[{"title": "Google TAG DarkSword Analysis", "url": "https://cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-kit"}]
References
- Google TAG DarkSword Analysis
https://cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-kit
Concerned about this threat?
Our security team can assess your exposure and recommend immediate actions.
Protect Your Organization
Find vulnerabilities like this in your systems before attackers do.
24/7 monitoring to detect and respond to threats like these in real time.
Block phishing and malware delivery targeting your organization.
Map security controls to 26 frameworks including NIST, SOC 2, and HIPAA.