New iOS Exploit Kit DarkSword Targets iPhones

A newly uncovered iOS exploitation framework called DarkSword is reshaping the mobile threat landscape. It signals a shift from targeted espionage tools to scalable, multipurpose attack infrastructure. Joint research from Google Threat Intelligence Group (GTIG) and Lookout shows how advanced exploit chains, once reserved for nation-state actors, are now used by a wider range of threat actors, including financially motivated cybercriminals.

DarkSword is not a single vulnerability. Instead, it is a full exploit chain designed to compromise the device. It uses at least six distinct vulnerabilities in Apple's iOS platform. These allow attackers to move from initial code execution to full system control. Its modular, multi-stage design reflects a trend where attackers link multiple flaws to bypass modern security controls such as sandboxing and pointer authentication.

At its core, DarkSword targets iPhones running iOS 18.4 through 18.7. This range still comprises hundreds of millions of active devices worldwide. The exploit chain starts with vulnerabilities in WebKit, the browser engine behind Safari. Attackers achieve remote code execution by simply luring victims to a malicious or compromised website. This watering hole technique is highly effective since users only have to visit a webpage.

Once initial access is established, DarkSword escalates privileges using a precise sequence of exploits. These include sandbox escapes via GPU-related vulnerabilities and kernel-level exploits that bypass protections such as Pointer Authentication Codes (PAC). The exploits are tracked as CVE-2025-31277, CVE-2025-43529, CVE-2026-20700, CVE-2025-14174, CVE-2025-43510, and CVE-2025-43520. By the final stage, attackers can fully control the device and access sensitive data and system functions without limits.

DarkSword stands out from earlier iOS exploit kits due to its technical sophistication and operational flexibility. Researchers found several malware payloads deployed after successful exploitation. These include GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER. The payloads enable various post-exploitation activities, such as data harvesting or command-and-control communication. Attackers can choose based on their objectives.

Below is a summary of the three malware packages as provided by BleepingComputer:

• GHOSTBLADE is a JavaScript dataminer that steals a range of information. This includes crypto wallet data, system and connectivity info, browser history, photos, location, and mobility data. It also targets communication data from iMessage, Telegram, WhatsApp, email, calls, and contacts.
• GHOSTKNIFE is a backdoor that exfiltrates various types of data. These include signed-in accounts, messages, browser data, location history, and recordings.
• GHOSTSABER is a JavaScript backdoor. It can enumerate devices and accounts, list files, execute JavaScript code, and steal data.

DarkSword's deployment history highlights its significance. Since at least November 2025, it has been used by diverse threat actors. These include suspected Russian state-sponsored groups and commercial surveillance vendors. Campaigns have targeted individuals and organizations in Ukraine, Saudi Arabia, Turkey, and Malaysia. This shows its use in both geopolitical and commercial scenarios.

The evolution of DarkSword is a turning point for these capabilities. Historically, advanced mobile exploits have been used in targeted espionage against journalists, activists, and government officials. In contrast, DarkSword is found in broader campaigns that mix espionage and cybercrime. This dual-use nature shows that exploitation tools are becoming more commoditized.

The DarkSword Hit-and-Run

A notable aspect of DarkSword is its 'hit-and-run' or 'fileless' operational model. Instead of installing persistent malware, the exploit quickly extracts valuable data within minutes of compromise. This data may include credentials, cryptocurrency wallet information, and personal communications. After exfiltration, it removes traces of its presence. This reduces its forensic footprint and makes detection much harder.

The types of data DarkSword targets show how mobile devices have become key repositories of personal and financial information. Attackers can access messages, application data, stored credentials, and, depending on the access level, health or location data. Stealing cryptocurrency wallets signals a clear monetization pathway. This matches wider cybercrime trends.

The following characteristics define the operational model of DarkSword and similar next-generation mobile exploits:

• Multi-stage exploitation chains combining browser, sandbox, and kernel vulnerabilities
• Fileless execution techniques that minimize detection and persistence
• Rapid data exfiltration focused on high-value assets such as credentials and cryptocurrency
• Cross-actor adoption spanning state-sponsored groups and cybercriminal organizations

These features show how mobile exploitation now uses tactics seen with advanced persistent threats (APTs) and financially motivated groups.

Another critical aspect of the DarkSword threat is its spread via a commercialized ecosystem. Researchers believe exploit chains like DarkSword may come from vendors or brokers who sell zero-day capabilities to many governments and private entities. This model mirrors the broader cybercrime economy, where tools and services are increasingly commoditized and accessible.

Multiple, unrelated threat actors now reuse DarkSword. This shows such tools are no longer tightly controlled. Instead, they are shared, sold, or leaked, giving more adversaries access to sophisticated attacks. This democratization raises major concerns because it lowers the barrier for advanced mobile attacks.

From a defensive view, DarkSword's emergence brings key challenges. The use of zero-day vulnerabilities makes signature-based detection mostly ineffective. The fileless attack leaves few artifacts for security tools to analyze. Malicious actions use legitimate system processes, making it hard to distinguish normal from suspicious behavior.

To mitigate the risks associated with DarkSword and similar threats, organizations and individuals must adopt a multi-layered security approach. Key defensive measures include:

Ensuring devices are updated to the latest iOS versions, where known vulnerabilities have been patched

Enabling enhanced security features, such as Lockdown Mode, to reduce the attack surface

Deploying mobile threat defense (MTD) solutions capable of detecting anomalous behavior

Implementing network-level protections, including web filtering and threat intelligence integration

Google researchers say all the vulnerabilities DarkSword exploited have been patched in recent iOS updates. This shows the importance of prompt patch management. Still, delays in user adoption mean a substantial number of devices stay exposed.

DarkSword's impact goes beyond individual campaigns. It marks a structural change in the mobile threat landscape. Advanced exploitation capabilities are now accessible to more actors, not just elites. They are becoming part of a scalable ecosystem for both espionage and cybercrime.

This shift is troubling given how central mobile devices are to digital life. Smartphones act as gateways to identity, finance, and enterprise resources, making them top targets. As a result, compromising one device can affect both personal and organizational contexts.

In summary, DarkSword is the next generation of mobile threats: highly sophisticated, widely accessible, and very versatile. It uses multi-stage exploit chains, fileless execution, and rapid data exfiltration. These features show attackers' growing abilities and intent. As such tools spread, defenders must focus on mobile security, rapid patching, and strong threat intelligence to meet the challenge posed by this complex landscape.