The Rise of Exploit Marketplaces: DarkSword and the Future of iOS Security
A sophisticated iOS exploit chain, dubbed DarkSword, has been observed in use by multiple threat actors since November 2025, according to recent findings from Google Threat Intelligence Group (GTIG), Lookout, and iVerify. This proliferation of a single exploit kit, mirroring the earlier Coruna case, signals a worrying trend: the emergence of a robust marketplace for zero-day vulnerabilities.
What is DarkSword and Why Does it Matter?
DarkSword leverages six vulnerabilities, including three zero-days, to achieve full device compromise on iOS versions 18.4 through 18.7. The exploit chain allows attackers to gain complete control over targeted iPhones, enabling them to steal sensitive data and deploy malicious payloads. The fact that both commercial surveillance vendors and suspected state-sponsored actors are utilizing DarkSword highlights its value and accessibility within the threat landscape.
Who is Using DarkSword?
GTIG has identified at least three distinct groups employing DarkSword: UNC6748, PARS Defense, and UNC6353. Each group demonstrates varying levels of operational security (OPSEC) and employs different tactics. UNC6748, for example, used a fake Snapchat website to deliver the exploit, while PARS Defense, a Turkish commercial surveillance provider, exhibited a higher degree of sophistication in its delivery methods. UNC6353, suspected to be a Russian espionage group, integrated DarkSword into watering hole attacks targeting Ukrainian users.
Pro Tip: Regularly updating your iOS version is the most effective way to protect yourself against known exploits. Apple patched all DarkSword vulnerabilities with the release of iOS 26.3, whereas many were addressed in earlier updates.
The Anatomy of the Exploit Chain
DarkSword is unique in its reliance on pure JavaScript for all phases of the infection process. This allows it to bypass certain iOS security mechanisms, such as Page Protection Layer (PPL) and Secure Page Table Monitor (SPTM), which typically block the execution of unsigned binary code. The exploit chain consists of four stages:
- Remote Code Execution (RCE): Exploits vulnerabilities in JavaScriptCore (CVE-2025-31277 and CVE-2025-43529).
- Sandbox Escape (WebContent): Leverages a flaw in the WebGL library ANGLE (CVE-2025-14174) to escape the Safari WebContent sandbox.
- Sandbox Escape (GPU): Exploits a copy-on-write bug in the XNU kernel (CVE-2025-43510) to gain access to the
mediaplaybackdsystem service. - Kernel Privilege Escalation & Payload Delivery: Uses a race condition in the XNU file system (CVE-2025-43520) to load malicious libraries and deploy the final payload.
The Payloads: GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER
Once a device is compromised, attackers deploy one of three malware families: GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER. GHOSTBLADE is a data miner focused on collecting device information. GHOSTKNIFE is a more versatile backdoor capable of audio recording, screenshot capture, and location tracking. GHOSTSABER, used by PARS Defense, offers file listing, data exfiltration, and the ability to execute arbitrary JavaScript code.
Did you grasp? The developers of DarkSword appear to be distinct from the groups deploying it, suggesting a specialized development and resale model.
Future Trends: The Expanding Exploit Marketplace
The DarkSword case underscores several emerging trends in the mobile threat landscape:
- Increased Commoditization of Exploits: Zero-day vulnerabilities are becoming increasingly valuable commodities, traded on underground marketplaces and accessible to a wider range of threat actors.
- Proliferation of Exploit Kits: We can expect to witness more sophisticated exploit kits emerge, offering modular components and targeting a broader range of platforms.
- Focus on JavaScript-Based Exploits: The success of DarkSword’s JavaScript-based approach may encourage developers to prioritize this technique to bypass traditional security measures.
- Rise of Specialized Malware Families: The emergence of distinct malware families like GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER suggests a trend towards tailored payloads designed for specific objectives.
FAQ
Q: What iOS versions are affected by DarkSword?
A: iOS versions 18.4 through 18.7 are vulnerable. Updating to iOS 26.3 or later is recommended.
Q: Is my iPhone safe if I’m not in Saudi Arabia, Turkey, Malaysia, or Ukraine?
A: While these countries were specifically targeted in observed campaigns, the exploit is not geographically limited. Anyone using a vulnerable iOS version could be at risk.
Q: What is a zero-day vulnerability?
A: A zero-day vulnerability is a software flaw that is unknown to the vendor and for which no patch is available. This makes it particularly dangerous, as attackers can exploit it before defenses are in place.
Q: What is the Lockdown Mode?
A: Lockdown Mode is an extreme, optional protection for iPhones that severely limits certain functionalities to reduce the attack surface.
Stay informed about the latest mobile security threats and prioritize regular software updates to protect your devices. Explore additional resources on Google Cloud Threat Intelligence and Lookout’s mobile security blog for in-depth analysis and actionable insights.
