Full Report
DarkSword is a sophisticated piece of malware—probably government designed—that targets iOS. Google Threat Intelligence Group (GTIG) has identified a new iOS full-chain exploit that leveraged multiple zero-day vulnerabilities to fully compromise devices. Based on toolmarks in recovered payloads, we believe the exploit chain to be called DarkSword. Since at least November 2025, GTIG has observed multiple commercial surveillance vendors and suspected state-sponsored actors utilizing DarkSword in distinct campaigns. These threat actors have deployed the exploit chain against targets in Saudi Arabia, Turkey, Malaysia, and Ukraine...
Analysis Summary
# Tool/Technique: DarkSword
## Overview
DarkSword is a sophisticated, full-chain iOS exploit kit and malware delivery framework. Likely developed for government use or by commercial surveillance vendors (CSVs), it leverages a sequence of six distinct vulnerabilities—including multiple zero-days—to bypass mobile security protections and fully compromise target devices. It serves as a loader for various secondary espionage payloads.
## Technical Details
- **Type:** Malware Exploit Chain / Framework
- **Platform:** iOS (Specifically versions 18.4 through 18.7)
- **Capabilities:** Full chain exploitation, zero-day utilization, deployment of complex surveillance payloads.
- **First Seen:** November 2025 (Observed activity); May 2026 (Public disclosure).
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1204.001 - User Execution: Malicious Link (Watering hole campaigns)
- **TA0002 - Execution**
- T1203 - Exploitation for Client Execution
- **TA0004 - Privilege Escalation**
- T1068 - Exploitation for Privilege Escalation (Kernel-level compromise)
- **TA0005 - Defense Evasion**
- T1622 - Debugger Evasion (Implicit in high-tier surveillance tools)
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol
## Functionality
### Core Capabilities
- **Full-Chain Exploitation:** Chains six vulnerabilities to move from initial browser/app sandbox escape to kernel-level privileges.
- **Payload Delivery:** Acts as a delivery mechanism for three primary malware families: **GHOSTBLADE**, **GHOSTKNIFE**, and **GHOSTSABER**.
- **Targeted Deployment:** Capable of being deployed via watering hole attacks to specific geographic regions or demographics.
### Advanced Features
- **Zero-Day Integration:** Incorporates multiple previously unknown vulnerabilities, indicating high-resource development.
- **Commercial Distribution:** The framework has been observed in use by multiple distinct commercial surveillance vendors and state-sponsored actors simultaneously.
- **Leak Resilience:** Despite being a high-tier tool, a version of the exploit kit leaked publicly in March 2026, leading to wider adoption by non-state actors.
## Indicators of Compromise
*Note: Specific hashes and C2 domains were not provided in the source article text.*
- **File Names:** DarkSword (often identified via toolmarks in recovered payloads).
- **Network Indicators:** Associated with watering hole domains targeting Saudi Arabia, Turkey, Malaysia, and Ukraine [URLs defanged: hxxp[://], hxxps[://]].
- **Behavioral Indicators:**
- Rapid exploitation following the visiting of specific compromised websites.
- Presence of GHOSTBLADE, GHOSTKNIFE, or GHOSTSABER artifacts in mobile memory or storage.
## Associated Threat Actors
- **UNC6353:** A suspected Russian espionage group.
- **Commercial Surveillance Vendors (CSVs):** Various unnamed private intelligence firms.
- **Suspected State Actors:** Agencies operating in/against Saudi Arabia, Turkey, Malaysia, and Ukraine.
## Detection Methods
- **Signature-based detection:** GTIG-provided signatures for the GHOST-series payloads.
- **Behavioral detection:** Identification of unusual kernel-level activity or sandbox escapes on iOS devices.
- **Forensic Analysis:** Inspection of recovery logs for "DarkSword" toolmarks within encrypted payloads.
## Mitigation Strategies
- **Prevention measures:**
- Ensure iOS devices are updated to version 18.8 or higher.
- Implementation of "Lockdown Mode" for high-risk individuals.
- **Hardening recommendations:**
- Restrict access to suspicious or unknown websites (mitigating watering hole attacks).
- Regular reboots to clear non-persistent memory-resident stages.
## Related Tools/Techniques
- **Coruna:** An older, powerful iOS exploit kit used by similar threat actors (e.g., UNC6353).
- **GHOSTBLADE / GHOSTKNIFE / GHOSTSABER:** The specific malware families delivered via the DarkSword chain.