In late 2025, a new and highly dangerous full-chain exploit for iOS emerged, threatening users across the globe. Dubbed DarkSword by researchers, this sophisticated attack leverages multiple zero-day vulnerabilities to achieve complete device compromise. According to the Google Threat Intelligence Group (GTIG), DarkSword has been adopted by a range of commercial surveillance vendors and suspected state-sponsored actors, targeting individuals in at least four countries. What follows are eight essential details about this exploit chain, its deployment, and how to protect yourself.

1. What Exactly Is DarkSword?

DarkSword is an iOS full-chain exploit that uses a series of zero-day vulnerabilities to silently take over a device. Unlike single-vulnerability exploits, a full-chain attack chains multiple flaws together to bypass security layers and gain deep system access. In this case, DarkSword targets iOS versions 18.4 through 18.7 and employs six distinct vulnerabilities to deliver final-stage malware. Researchers from GTIG, Lookout, and iVerify discovered the exploit chain in active use starting in November 2025, and they believe it was named DarkSword by its developers based on toolmarks found in recovered payloads.

2. Who Is Behind the Attacks?

Multiple threat actors have been observed using DarkSword, including both commercial surveillance vendors and state-sponsored groups. GTIG identified a cluster called UNC6748 deploying it against Saudi Arabian users. Another group, UNC6353—a suspected Russian espionage operation previously linked to the Coruna iOS exploit kit—has also integrated DarkSword into its watering hole campaigns. The widespread adoption across different actors mirrors the earlier proliferation of the Coruna kit, indicating that DarkSword may be sold or shared among threat communities.

3. Which Countries Are Being Targeted?

As of early 2026, GTIG has confirmed DarkSword attacks targeting individuals in Saudi Arabia, Turkey, Malaysia, and Ukraine. Each campaign appears tailored to the victims, with lures and delivery methods customized to local contexts. For example, the Saudi Arabian campaign used a Snapchat-themed phishing site, while other campaigns likely employ similar social engineering tactics. The geographic diversity suggests that DarkSword is a versatile tool employed by actors with varying geopolitical interests.

4. What Vulnerabilities Does It Exploit?

DarkSword takes advantage of six zero-day vulnerabilities in iOS 18.4 through 18.7. While the specific CVEs have not been fully disclosed to preserve user safety, GTIG reported all six to Apple in late 2025. Apple subsequently patched most of these flaws in iOS 26.3, with earlier patches addressing some vulnerabilities prior to that release. Users who have updated to the latest iOS version are no longer vulnerable to the known exploit chain. However, devices still running iOS 18.x remain at risk.

5. What Kind of Malware Does It Deliver?

After a successful DarkSword exploitation, the attacker can install one of three malware families: GHOSTBLADE, GHOSTKNIFE, or GHOSTSABER. Each of these payloads provides different capabilities, such as persistent backdoor access, data exfiltration, or surveillance functions. The use of multiple payload variants indicates that the exploit chain is modular, allowing operators to choose the most appropriate malware for their objectives. GTIG has analyzed samples of these payloads to understand their behavior and command-and-control infrastructure.

6. How Are Victims Initially Lured?

Delivery methods vary by actor, but a prominent example comes from the UNC6748 campaign targeting Saudi Arabia. The attackers created a website styled after Snapchat, snapshare[.]chat, which served as a landing page. The page contained obfuscated JavaScript that created an IFrame to fetch a second-stage resource. It also set a session storage key to prevent re-infection—indicating a carefully crafted process to ensure only new victims are compromised. Other campaigns likely use similar social engineering or watering hole tactics.

7. How Does DarkSword Compare to Previous Exploit Kits?

Security researchers draw a direct parallel between DarkSword and the Coruna iOS exploit kit, which was previously used by multiple threat actors. Both represent a worrying trend of commercial-grade exploit chains being adopted by diverse groups, including state-sponsored espionage units. The fact that UNC6353, a known Coruna user, now also employs DarkSword suggests that these kits can circulate through the same underground channels. This proliferation makes it harder to attribute attacks and increases the risk for a broader range of targets.

8. What Can Users Do to Stay Protected?

Apple has patched the vulnerabilities used by DarkSword in iOS 26.3, and earlier updates fixed several of the six flaws. The most critical step is to update your iPhone or iPad to the latest iOS version immediately. If updating is not possible—for example, on older devices—Apple recommends enabling Lockdown Mode, which significantly reduces the attack surface. Google has also added known DarkSword delivery domains to Safe Browsing, providing an additional layer of defense against phishing attempts.

The emergence of DarkSword underscores the persistent threat from full-chain mobile exploits and the importance of keeping devices updated. As threat actors continue to share and repurpose powerful tools, vigilance and prompt patching remain the best defenses. For the latest information, follow updates from GTIG, Lookout, and iVerify—organizations that worked together to uncover this threat chain.