Mar 19, 2026 14:35:00

Google and others have discovered 'DarkSword,' an exploit chain for iOS that uses six vulnerabilities.

Google's Threat Intelligence Group (GTIG) has reported the discovery of a full-chain exploit that completely compromises iOS devices by exploiting multiple zero-day vulnerabilities. This exploit, which appears to be called 'DarkSword' based on variables in the code, has been confirmed to have been used by a Russian-backed group targeting Saudi Arabia, Turkey, Malaysia, and Ukraine since at least November 2025.

The Proliferation of DarkSword: iOS Exploit Chain Adopted by Multiple Threat Actors | Google Cloud Blog

https://cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain

Attackers Wielding DarkSword Threaten iOS Users | Threat Intel

https://www.lookout.com/threat-intelligence/article/darksword

Inside DarkSword: A New iOS Exploit Kit Delivered Via Compromised Legitimate Websites
https://iverify.io/blog/darksword-ios-exploit-kit-explained

Recently, an iOS exploit chain called 'Coruna' was discovered, and it appears that UNC6353, a Russian group known to have used Cornuna, has incorporated DarkSword into its watering hole attacks .

It has been revealed that iPhones were targeted using 'Coruna,' a suite of hacking tools believed to have been developed by the US government - GIGAZINE

Coruna is an exploit that takes advantage of 23 different vulnerabilities in iOS, targeting somewhat older versions of iOS, and these vulnerabilities have been fixed in iOS 26. DarkSword has an even narrower scope, reportedly using six vulnerabilities in iOS 18.4 through 18.7 to deploy its final payload. Three pieces of malware have been identified so far: 'GHOSTBLADE,' 'GHOSTKNIFE,' and 'GHOSTSABER.'

According to GTIG, the mechanism used to load the DarkSword exploit was more basic and less robust than Cornu's, and JavaScript was used at every stage.

DarkSword aims to extract a wide range of personal information, including credentials, from devices, and has particularly targeted numerous cryptocurrency wallets.

UNC6353, the attacking group, is a relatively unknown threat actor, and no connections to other threat actors have been observed. While it possesses ample funding and a wide network of contacts, citing its access to high-quality exploit chains, it is considered technically less sophisticated and is believed to be conducting espionage activities for financial gain and in line with Russian intelligence requirements.

Lookout Threat Labs, a security company that contributed to the discovery of DarkSword alongside GTIG, expressed concern that the discovery of DarkSword following Corna suggests the existence of a distribution market for technically sophisticated exploit chains. On the other hand, they stated that since the target is not the latest iOS, it further increases the importance of quickly updating mobile devices and replacing older ones.