Full Report
It takes a single page load on a compromised Ukrainian government site, no tap, no download, no warning — and an iPhone running iOS 18.4 through 18.6.2 hands over its messages, photos, passwords, Telegram history, iCloud files, and cryptocurrency wallet keys to an attacker halfway across the world, then erases every trace of the intrusion within minutes. That is DarkSword. And it has already spread to at least four countries. On Wednesday, Google Threat Intelligence Group (GTIG), mobile security firm Lookout and device integrity company iVerify published coordinated research disclosing a new iOS full-chain exploit kit they named DarkSword — a name taken directly from a variable buried inside the malware's own code: const TAG = "DarkSword-WIFI-DUMP". The three organizations collaborated across separate discovery threads, with each contributing distinct pieces of a deeply alarming picture. DarkSword in the Hands of Spyware Vendors and State Actors GTIG tracked DarkSword deployments since at least November 2025, identifying multiple distinct threat actors — including commercial surveillance vendors and suspected state-sponsored groups — deploying the same exploit chain against targets in Saudi Arabia, Turkey, Malaysia, and Ukraine. The chain leverages six vulnerabilities across iOS 18.4 through 18.7, and all six have now been patched in iOS 26.3, though most arrived in earlier updates. Apple was notified by GTIG in late 2025. Studying the Exploit Chain The exploit chain's entry point for Ukrainian targets sits inside two compromised websites, novosti[.]dn[.]ua, a news portal, and 7aac[.]gov[.]ua, a Ukrainian government domain. Both sites contained an invisible malicious iframe injected by attackers, which silently loaded exploit code hosted on a server in Estonia. That server only delivered the payload to devices having Ukrainian IP addresses — a deliberate geofencing technique that reduces exposure, frustrates researchers, and increases the operational window before detection. Once Safari loaded the iframe, DarkSword executed a disciplined, multi-stage attack entirely in JavaScript — a design choice that is itself significant. There is no binary implant, no Mach-O library injected into processes, no traditional malware artifact that endpoint detection logic would expect to find. The chain breaks out of WebKit's WebContent sandbox, uses WebGPU to inject into a background media process called mediaplaybackd, builds arbitrary kernel read-write access from there, and then uses that access to lift sandbox restrictions across the device's most privileged processes — including configd, wifid, securityd, and UserEventAgent. The final payload orchestrator, pe_main.js, then injects targeted data-theft modules into each of these processes before staging everything in accessible filesystem locations and exfiltrating the complete collection to a command-and-control server. The staged files are then deleted and the process exits cleanly. The entire dwell time on a victim device measures in minutes. GTIG has identified three distinct malware families delivered following successful DarkSword compromise: GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER. What DarkSword steals covers almost every surface of a modern iPhone. SMS and iMessage content, call history, address book, WiFi passwords, Safari browsing history and cookies, location history, health data, photos, iCloud Drive, emails, saved passwords, WhatsApp and Telegram message histories, and the complete list of installed applications. Most unusually for a state-adjacent espionage tool, DarkSword specifically targets cryptocurrency wallets like Coinbase, Binance, Kraken, Kucoin, Ledger, Trezor, MetaMask, and Exodus, among others. Lookout assesses this as evidence of a financially motivated dimension to the threat actor's operations, distinct from conventional cyber espionage. The Six Vulnerabilities Underneath DarkSword DarkSword's power derives from chaining six distinct flaws across different layers of iOS, each one unlocking the next stage of access. [caption id="attachment_110322" align="aligncenter" width="486"] The six vulnerabilities exploited at various levels of the exploit chain. (Image source: GTIG)[/caption] The remote code execution stage exploited two memory corruption vulnerabilities in JavaScriptCore — the JavaScript engine that powers WebKit and Safari. The first, CVE-2025-31277, formed the foundation of the earliest observed DarkSword deployments targeting iOS 18.4 and 18.5. A second JavaScriptCore memory corruption bug, CVE-2025-43529, was added in a later iteration of the kit targeting iOS 18.6, giving operators redundant entry points across a wider version range. Both bugs enable an attacker to corrupt memory through a malicious webpage alone, requiring no interaction from the victim beyond the page load itself. Alongside either RCE exploit, DarkSword chains CVE-2026-20700, a Pointer Authentication Code (PAC) bypass in dyld — the dynamic linker responsible for loading code into Apple processes. PAC is a hardware-level security feature Apple introduced specifically to prevent attackers from hijacking code execution; bypassing it is a prerequisite for the deeper access DarkSword achieves. The remaining three vulnerabilities handle the sandbox escape and privilege escalation stages, progressively dismantling iOS security boundaries until the attacker holds unrestricted kernel read-write access across the entire device. Apple addressed the vulnerabilities on a rolling basis rather than in a single emergency patch, reflecting the staggered pace at which researchers discovered each flaw. CVE-2025-31277 and CVE-2025-43529 received fixes in iOS 26.1 and iOS 26.2 respectively, while CVE-2026-20700 and the remaining privilege escalation vulnerabilities were closed with iOS 26.3. The final complete remediation, covering all six DarkSword vulnerabilities, landed in iOS 18.7.3 for devices on the iOS 18 branch. The gap between the earliest known DarkSword deployment in November 2025 and the final patch in iOS 26.3 represents a window of roughly four months during which the full chain operated against unpatched devices. The Evolution of DarkSword Under Various Threat Actors The infrastructure analysis by Lookout revealed an important link to a prior campaign. The delivery domain cdncounter[.]net shares nameservers, registrar, registration date, and IP resolution overlap with uacounter[.]com, a domain GTIG previously tied to UNC6353 — a suspected Russian espionage group that also used the earlier Coruna iOS exploit kit against Ukrainian targets. The same Ukrainian government domain that hosted DarkSword delivery code had previously distributed Coruna. GTIG has now observed UNC6353 incorporating DarkSword into its watering hole campaign repertoire alongside its previous toolkit. Also read: How Russia-Linked Spies Turned Everyday Websites into Surveillance Traps aka ‘Watering Hole’ Perhaps the most significant finding across all three research publications is not the sophistication of any single vulnerability, but what the proliferation of DarkSword across multiple unrelated threat actors reveals about the commercial exploit market. Code comments written in Russian appear in the early infrastructure stages; code in subsequent exploit stages switches to English — consistent with a tool built by one developer and sold or transferred to multiple buyers. References to iOS 17.4.1 and 17.5.1 in portions of the code indicate this kit evolved from an earlier version, suggesting an ongoing commercial development and distribution pipeline rather than a one-time build. Lookout states the threat actor likely gained access to an exploit and post-exploitation toolkit built by a third party. The nation-state grade iOS zero-day chains, which were once assumed exclusive to Tier 1 commercial surveillance vendors supplying governments, now circulate in a secondary market accessible to actors with narrower resources and mixed motives, including financial crime. Devices running iOS 18.7.3 or iOS 26.3 and later are not vulnerable. Google has added DarkSword delivery domains to Safe Browsing. For devices that cannot be updated immediately, Apple's Lockdown Mode reduces the available attack surface.
Analysis Summary
# Incident Report: Proliferation of "DarkSword" iOS Full-Chain Exploit Kit
## Executive Summary
The "DarkSword" incident involves a sophisticated, zero-click iOS exploit chain used by multiple state-sponsored and commercial threat actors to perform full device compromise. The attack leverages six chained vulnerabilities to bypass Apple's security features and exfiltrate comprehensive user data, including encrypted messaging history and cryptocurrency keys. The campaign marks a significant shift in the threat landscape, as nation-state grade "zero-day" tools are now circulating in secondary commercial markets.
## Incident Details
- **Discovery Date:** Late 2025 (Coordinated research published March 2026)
- **Incident Date:** Active since at least November 2025
- **Affected Organization:** Ukrainian Government (and others in Saudi Arabia, Turkey, and Malaysia)
- **Sector:** Government, Journalism, Finance/Cryptocurrency
- **Geography:** Ukraine, Saudi Arabia, Turkey, Malaysia (Hosting infrastructure in Estonia)
## Timeline of Events
### Initial Access
- **Date/Time:** November 2025 - Early 2026
- **Vector:** Watering Hole Attack via compromised websites (7aac[.]gov[.]ua and novosti[.]dn[.]ua).
- **Details:** Attackers injected invisible iframes into legitimate sites. These iframes silently redirected users to an exploit server in Estonia, which used geofencing to target only Ukrainian IP addresses.
### Lateral Movement
- **Details:** Not applicable in a traditional network sense; however, the exploit performed "lateral movement" across iOS system processes. After breaking the Safari WebKit sandbox, it moved into `mediaplaybackd` and subsequently elevated privileges to control `configd`, `wifid`, `securityd`, and `UserEventAgent`.
### Data Exfiltration/Impact
- **Details:** The orchestrator `pe_main.js` injected modules to steal SMS/iMessages, Telegram/WhatsApp history, photos, iCloud files, and WiFi passwords. Uniquely, it targeted cryptocurrency wallet keys (Coinbase, Binance, MetaMask, etc.). Data was staged locally and exfiltrated to a C2 server before the malware self-deleted.
### Detection & Response
- **Discovery:** Collaboratively discovered by Google Threat Intelligence Group (GTIG), Lookout, and iVerify through separate research threads.
- **Response:** Apple was notified in late 2025 and began a staggered patching process across iOS updates, concluding with full remediation in iOS 18.7.3 and iOS 26.3.
## Attack Methodology
- **Initial Access:** Remote Code Execution (RCE) via JavaScriptCore memory corruption (CVE-2025-31277 or CVE-2025-43529).
- **Persistence:** None (Volatile/Memory-based); the attack relies on re-infecting the user via the browser.
- **Privilege Escalation:** Chained vulnerabilities to bypass Pointer Authentication Codes (PAC) via `dyld` (CVE-2026-20700) and gain kernel read-write access.
- **Defense Evasion:** Entirely JavaScript-based (no binary implants); uses geofencing to hide from researchers; self-deletes staged files and traces upon completion.
- **Credential Access:** Theft of keychain data, Safari cookies/passwords, and cryptocurrency private keys.
- **Discovery:** Automated scanning of device files and installed applications.
- **Collection:** Automated staging of messages, health data, and media files.
- **Exfiltration:** HTTPS transfer to attacker-controlled C2 servers.
- **Impact:** Complete loss of data privacy and potential financial theft of crypto assets.
## Impact Assessment
- **Financial:** High potential; specifically targets 8+ major cryptocurrency wallet applications.
- **Data Breach:** Massive; total access to messages, call logs, location history, and cloud files.
- **Operational:** Low; the device remains functional to avoid user suspicion.
- **Reputational:** High for affected government entities serving as delivery vectors.
## Indicators of Compromise
- **Network Indicators:**
- cdncounter[.]net
- uacounter[.]com
- Estonian payload server IPs (as identified in GTIG report)
- **File Indicators:**
- `DarkSword-WIFI-DUMP` (string variant)
- `pe_main.js` (orchestrator)
- **Behavioral Indicators:** Unexpected outbound traffic from system processes like `mediaplaybackd` or `wifid` to unknown external IPs.
## Response Actions
- **Containment:** Google Safe Browsing blocked identified delivery domains.
- **Eradication:** Apple released rolling patches: CVEs fixed in iOS 26.1, 26.2, and 26.3.
- **Recovery:** Users advised to update to iOS 18.7.3 / 26.3 or later.
## Lessons Learned
- **Commercialization of Exploits:** Sophisticated exploit chains are no longer exclusive to a single actor but are being sold as kits, as evidenced by Russian/English code comments.
- **The "No-Artifact" Trend:** Modern mobile threats are shifting toward entirely memory-resident, script-based execution to bypass traditional file-based EDR.
- **Geofencing Effectiveness:** Attackers successfully used IP filtering to delay discovery by global security firms for several months.
## Recommendations
- **Immediate Update:** Force-update all iOS devices to version 18.7.3 / 26.3 or higher.
- **High-Risk Users:** Enable **Apple Lockdown Mode** for individuals in government, journalism, or high-finance roles to reduce the browser attack surface.
- **Monitoring:** Implement mobile endpoint security that monitors process behavior rather than just looking for known file signatures.