A newly discovered iOS exploit kit called DarkSword is raising serious concerns in the cybersecurity community. Security researchers say this sophisticated tool is capable of taking full control of Apple iPhones and stealing large amounts of sensitive data within seconds.
The exploit kit was identified by researchers from the Google Threat Intelligence Group (GTIG), iVerify, and Lookout. According to their findings, multiple threat actors have been actively using DarkSword since November 2025 in cyber-espionage and financially motivated attacks.
The exploit kit targets iPhones running iOS versions between 18.4 and 18.7, allowing attackers to compromise devices without requiring significant interaction from the victim.
Security researchers believe several cyber groups and surveillance vendors are using DarkSword in real-world attacks. The campaigns have reportedly targeted users in Saudi Arabia, Turkey, Malaysia, Ukraine, and other regions.
One of the primary groups linked to the exploit kit is a suspected Russian espionage actor known as UNC6353. The group has previously been associated with advanced cyber operations targeting Ukrainian users.
Interestingly, DarkSword is the second iOS exploit kit discovered within a month, following the emergence of another exploit chain known as Coruna iOS exploit kit. Researchers say the appearance of multiple exploit kits in such a short time highlights the growing underground market for iOS vulnerabilities and exploit tools.
According to security experts, even threat actors with limited technical skills can now purchase or access powerful exploit chains from commercial surveillance vendors.
DarkSword is designed as a full exploit chain, meaning it combines multiple vulnerabilities to break through several layers of iOS security.
The exploit kit uses six vulnerabilities, including three zero-day vulnerabilities that were actively exploited before Apple released security patches.
The vulnerabilities involved include:
-
CVE-2025-31277 – Memory corruption flaw in JavaScriptCore
-
CVE-2026-20700 – Pointer Authentication Code bypass in dyld
-
CVE-2025-43529 – JavaScriptCore memory corruption vulnerability
-
CVE-2025-14174 – Memory corruption vulnerability in ANGLE
-
CVE-2025-43510 – iOS kernel memory management flaw
-
CVE-2025-43520 – Kernel memory corruption vulnerability
These vulnerabilities allow attackers to gradually escalate privileges until they gain full control of the iPhone operating system.
The attack usually starts when a victim visits a compromised website using the Safari browser.
Researchers found that some hacked websites contain a hidden malicious iFrame element. This iFrame loads JavaScript code that first fingerprints the visitor’s device to check whether it is running a vulnerable version of iOS.
If the device meets the criteria, the exploit chain is triggered automatically.
This technique is known as a watering hole attack, where attackers compromise websites frequently visited by their targets.
Once activated, DarkSword performs several advanced steps to bypass Apple’s security protections.
The exploit chain begins by exploiting flaws in JavaScriptCore, the JavaScript engine used by Safari. This enables attackers to achieve remote code execution inside the browser process.
From there, the malware escapes the WebContent sandbox, which is designed to isolate Safari processes from the rest of the system.
Next, it abuses the WebGPU framework to move into a system daemon called mediaplaybackd, a background service used for media playback on iOS.
After gaining access to this privileged process, the malware deploys a data-stealing module known as GHOSTBLADE malware.
Once inside the system, DarkSword can collect an extensive amount of personal data from the compromised device.
The malware is capable of stealing:
-
Email accounts and stored messages
-
Files stored in iCloud Drive
-
Contacts and call history
-
SMS and messaging data
-
Safari browsing history and cookies
-
Cryptocurrency wallet information
-
Login credentials and passwords
-
Photos and media files
-
Wi-Fi configuration and saved passwords
-
Device location history
-
Installed apps list
-
Data from Apple apps such as Notes and Health
-
Message history from apps like Telegram and WhatsApp
This information is packaged and sent to attacker-controlled servers using encrypted HTTP or HTTPS connections.
Unlike traditional spyware that stays hidden on a device for long-term surveillance, DarkSword follows a “hit-and-run” strategy.
The malware quickly collects valuable data, sends it to the attackers, and then cleans up its traces before exiting the device.
Researchers say this approach reduces the time the malware remains on the device, making detection much more difficult.
Apart from UNC6353, researchers identified other groups using the exploit kit.
One of them is UNC6748, which targeted Saudi users through a Snapchat-themed phishing website.
Another campaign has been linked to PARS Defense, a Turkish surveillance vendor believed to have used DarkSword to deliver a backdoor called GHOSTSABER backdoor.
These backdoors allow attackers to perform device enumeration, execute arbitrary JavaScript code, and steal sensitive data.
Researchers say the discovery of DarkSword highlights a worrying trend: the rapid expansion of the market for iOS zero-day exploits.
Such vulnerabilities were once primarily used by nation-state intelligence agencies. However, the increasing commercialization of surveillance tools means criminal groups and private actors can now access these powerful exploits.
Experts warn that millions of iPhones may remain vulnerable if users fail to install the latest security updates.
Cybersecurity experts recommend the following steps to reduce the risk of exploitation:
Always install the latest iOS security updates
Avoid clicking suspicious links or visiting unknown websites
Use mobile security tools that detect malicious activity
Enable device protection features and strong passwords
Keeping iOS updated is the most effective defense against exploit kits like DarkSword.
Interesting Article : CISA Adds Wing FTP Vulnerability to KEV Amid Active Exploitation