In late 2025, Google Threat Intelligence Group (GTIG) uncovered a sophisticated iOS full‑chain exploit named DarkSword. This exploit chain leveraged multiple zero‑day vulnerabilities to compromise devices running iOS 18.4 through 18.7. What makes DarkSword particularly alarming is its rapid adoption by multiple commercial surveillance vendors and suspected state‑sponsored actors. Since November 2025, campaigns have targeted individuals in Saudi Arabia, Turkey, Malaysia, and Ukraine. Below are eight essential facts about DarkSword, how it works, who uses it, and what you can do to stay safe.
1. What Is the DarkSword Exploit Chain?
DarkSword is a full‑chain iOS exploit that requires no user interaction beyond visiting a malicious website. It strings together six separate zero‑day vulnerabilities to silently gain complete control over an iPhone or iPad. The exploit chain supports iOS versions 18.4 through 18.7 and is capable of dropping final‑stage payloads without leaving obvious traces. GTIG identified the toolmarks in recovered payloads and named the chain DarkSword. Its modular design allows different threat actors to customize the final payloads while reusing the same exploit engine, making it a versatile weapon in the spyware ecosystem.
2. The Six Zero‑Day Vulnerabilities Behind DarkSword
Each DarkSword attack uses six distinct vulnerabilities to achieve code execution at every protection level of iOS. These zero‑days span kernel, WebKit, and other system components. GTIG responsibly disclosed all six to Apple in late 2025. Apple patched the majority of them before the release of iOS 26.3, but some were only fixed in that version. Users who have not updated to the latest iOS remain exposed. The vulnerabilities were critical—one allowed arbitrary code execution in the kernel, another bypassed sandbox restrictions, and a third enabled privilege escalation. The combination makes DarkSword one of the most dangerous exploit chains seen in the wild.
3. Which Threat Actors Are Using DarkSword?
GTIG tracks multiple clusters employing DarkSword. These include UNC6748, a group targeting Saudi Arabian users, and UNC6353, a suspected Russian espionage group previously linked to the Coruna iOS exploit kit. Commercial surveillance vendors—companies that sell spyware to governments—have also integrated DarkSword into their products. The variety of actors underscores a troubling trend: once a powerful exploit chain becomes available, it proliferates quickly across the cyber‑mercenary and state‑sponsored landscape. DarkSword is not limited to one region; it has been deployed against targets in Europe, the Middle East, and Asia.
4. Saudi Arabian Campaign: The Snapchat Lure
In early November 2025, UNC6748 launched a campaign using a fake Snapchat website—snapshare[.]chat—to lure Saudi Arabian users. The landing page contained obfuscated JavaScript that created an IFrame to load the next stage of the exploit. It also set a session storage key named uid to prevent re‑infection of the same device. This technique kept the attack stealthy and efficient. Victims who visited the site with an unpatched iOS device would trigger the DarkSword chain, leading to a full compromise. The campaign targeted individuals likely involved in activism, journalism, or opposition politics, though GTIG did not name specific victims.
5. Other Targeted Regions: Turkey, Malaysia, and Ukraine
Beyond Saudi Arabia, GTIG observed DarkSword attacks in Turkey, Malaysia, and Ukraine. In each location, the threat actors used different infection vectors—some relied on watering hole attacks, others on spear‑phishing emails with embedded links. UNC6353, the suspected Russian espionage group, incorporated DarkSword into watering hole websites frequented by Ukrainian military and government personnel. In Malaysia, the targets appeared to be civil society members. The geographic diversity shows that DarkSword is not a one‑off tool but a widely distributed exploit chain available to multiple buyers or affiliates within the surveillance industry.
6. The Malware Families DarkSword Delivers
After a successful exploit, DarkSword deploys one of three distinct malware families: GHOSTBLADE, GHOSTKNIFE, or GHOSTSABER. These payloads are sophisticated implants capable of exfiltrating messages, call logs, location data, and microphone access. GHOSTBLADE focuses on persistent remote access, while GHOSTKNIFE specializes in file theft. GHOSTSABER includes keystroke logging and screen capture functionality. Each family is modular and can be updated over C2 servers. The presence of multiple payloads suggests that different actors either developed their own agents or purchased different versions from the same spyware vendor.
7. Defensive Measures: How to Protect Yourself
The strongest defense against DarkSword is to keep iOS updated. Apple patched all six vulnerabilities by iOS 26.3, and most were fixed earlier. Users still on iOS 18.x or 19.x should update immediately. If a device cannot run the latest iOS, GTIG recommends enabling Lockdown Mode, which disables certain web technologies exploited by DarkSword. Google has added all observed delivery domains to Safe Browsing, so using Chrome or Safari with phishing protection helps. Organizations should treat unpatched iOS devices as high‑risk and consider deploying mobile device management policies that enforce updates.
8. Industry Collaboration and Ongoing Monitoring
GTIG published this research in coordination with Lookout and iVerify, two mobile security firms that independently observed DarkSword activity. Their combined telemetry helped confirm the exploit chain’s spread. GTIG continues to monitor for new DarkSword variants and additional actor clusters. The company has also shared indicators of compromise (IOCs) with security vendors and national CERTs. Users and administrators are encouraged to review GTIG’s full technical report for detailed IoCs and forensic analysis. The threat landscape around mobile spyware is evolving rapidly, and collaboration remains key to staying ahead.
The DarkSword exploit chain represents a dangerous evolution in iOS surveillance. Its adoption by multiple actors, from commercial spyware vendors to state‑sponsored groups, highlights the booming market for zero‑day exploits. The best defense remains proactive patch management and enabling advanced security features like Lockdown Mode. Stay informed, update your devices, and remain vigilant against suspicious links—even those that appear to come from trusted services like Snapchat. The fight against commercial spyware requires constant attention, but knowledge is our strongest weapon.