DarkSword iOS Exploit Chains 6 Bugs, Hits 221M iPhones in 4 Countries

A powerful iPhone exploit kit called DarkSword was publicly disclosed on 18 March 2026 by Lookout, Google’s Threat Intelligence Group (GTIG), and iVerify. The three firms published coordinated analyses after DarkSword was found being used in active watering-hole attacks against iPhone users in Ukraine, Saudi Arabia, Turkey, and Malaysia. According to iVerify’s estimates, between 221 million and 296 million iPhones may still be running the iOS versions that DarkSword targets.

DarkSword was discovered by Lookout while investigating the infrastructure linked to a separate iOS exploit kit called Coruna, disclosed earlier in March 2026. Researchers found DarkSword hosted on the same servers, but confirmed it is an entirely different tool built by different developers. It chains six separate software vulnerabilities — four of which were exploited as zero-days — to silently steal data from any iPhone running iOS 18.4 through iOS 18.7 that visits a compromised website. No taps, no downloads, no warning. For more context on how AI tools are reshaping the cybersecurity landscape in 2026, the connection runs deeper than most users realise.

⚠ Security Alert · March 2026

Your iPhone Could Be
Hacked Just by Browsing

DarkSword silently steals your data the moment you visit a compromised website — no clicks, no downloads, no trace left behind. Check your iOS version below.

// Is Your iPhone at Risk? Tap Your iOS Version

221M+ iPhones estimated to be running vulnerable iOS 18.4–18.6.2 (iVerify, 14.2% of users)

6 Vulnerabilities chained in DarkSword — 4 exploited as zero-days

4 Countries actively targeted: Ukraine, Saudi Arabia, Turkey, Malaysia

0 Clicks needed — visiting a compromised page is enough to trigger the attack

Closeup of an iPhone screen showing a lock screen — representing iPhone security and the DarkSword iOS exploit

DarkSword targets iPhones running iOS 18.4 through iOS 18.7, using Safari as the entry point. Fully updated devices are protected. Photo: Unsplash

// What is DarkSword

A Hit-and-Run Attack That Leaves No Trace

This section explains what DarkSword is, how it was found, and why it is different from typical spyware.

DarkSword is a full-chain iOS exploit kit written entirely in JavaScript. It was discovered by Lookout’s Threat Labs while their researchers were mapping infrastructure linked to the earlier Coruna exploit. GTIG at Google and iVerify then joined the investigation for a broader analysis. All three published their findings together on 18 March 2026.

What makes DarkSword particularly difficult to detect is its “hit-and-run” design. Once it finishes pulling data from a device, it deletes crash logs and all evidence of its presence — no app installed, no notification, no trace in diagnostic reports. The attack runs entirely through the Safari browser using legitimate iOS system processes, rather than installing a persistent implant.

“A vast number of iOS users could have all of their personal data stolen simply for visiting a popular website.”

— Rocky Cole, Co-founder & COO, iVerify

Researchers also noted that the Russian-linked group using DarkSword against Ukraine left the exploit’s full source code — with English-language comments explaining each component and the “DarkSword” label — openly accessible on compromised servers. That operational carelessness is how researchers were able to fully analyse and name the tool. For the latest on Apple hardware and software in 2026, Apple has confirmed all DarkSword vulnerabilities are patched in iOS 26.3 and above.

// How the Attack Works

Six Exploits, One Seamless Strike

Walk through DarkSword’s exact attack sequence — from the moment you visit a page to the moment your data is gone.

You visit a compromised website in Safari

A malicious iframe is silently injected into otherwise legitimate sites — Ukrainian news outlets, a government appeals court site, or a fake Snapchat-themed page (snapshare[.]chat used for Saudi Arabia targets). The iframe loads without any visible indication.

Device fingerprinting — the loader checks your iOS version

A JavaScript loader (rce_loader.js) runs, identifies your iOS version, and fetches the correct exploit variant for your device — ensuring the right CVE is used for your specific iOS build.

Remote code execution via JavaScriptCore bug

For iOS below 18.6: CVE-2025-31277 (JIT type confusion bug) is used. For iOS 18.6–18.7: CVE-2025-43529 (garbage collection bug in DFG JIT layer) is used. Both create arbitrary memory read/write access inside Safari’s renderer process.

PAC bypass breaks Apple’s tamper-detection (CVE-2026-20700)

A bug in dyld — Apple’s dynamic linker — bypasses Pointer Authentication Codes (PAC) and Trusted Path Read-Only (TPRO) protections. This allows arbitrary code execution inside WebContent. This was a zero-day, patched only with iOS 26.3.

Two-stage sandbox escape via GPU process (CVE-2025-14174 + CVE-2025-43510)

An out-of-bounds write in ANGLE (WebGL graphics layer, CVE-2025-14174) escapes the WebContent sandbox into the GPU process. A copy-on-write bug in the XNU kernel (CVE-2025-43510) then pivots into mediaplaybackd — a system daemon with far greater permissions.

Kernel privilege escalation, data theft, then total cleanup (CVE-2025-43520)

A final kernel memory corruption bug (CVE-2025-43520) grants full kernel read/write. The orchestrator (pe_main.js) loads data-stealing modules, exfiltrates all collected data over ECDH+AES-encrypted HTTP connections, then deletes crash logs and all traces of itself.

// Six Vulnerabilities

The CVEs Behind DarkSword

All six have been patched. Three were zero-days when DarkSword was actively using them. Update to iOS 26.3.1 or iOS 18.7.6 to be fully protected against the observed variants.

CVE ID	Component & Bug Type	Patched In
CVE-2025-31277	JavaScriptCore — JIT type confusion (iOS < 18.6)	iOS 18.6
CVE-2025-43529	JavaScriptCore — DFG JIT garbage collection bug (iOS 18.6–18.7)0-DAY	iOS 18.7.3 / 26.2
CVE-2026-20700	dyld — User-mode PAC bypass0-DAY	iOS 26.3 only
CVE-2025-14174	ANGLE (WebGL) — Out-of-bounds write, GPU sandbox escape0-DAY	iOS 18.7.3 / 26.2
CVE-2025-43510	XNU kernel — Copy-on-write memory management bug	iOS 18.7.2 / 26.1
CVE-2025-43520	XNU kernel — Memory corruption, privilege escalation	iOS 18.7.2 / 26.1

A person using a laptop in a dark room, representing cybersecurity threat actors and the DarkSword iOS hacking campaign

DarkSword was used by at least three separate threat actor groups across four countries between November 2025 and March 2026. Photo: Unsplash

// Three Payloads, Three Actors

GHOSTBLADE · GHOSTKNIFE · GHOSTSABER

Each threat actor who used DarkSword deployed a different final malware payload. Tap each one to see what it does and who used it. This is key to understanding who was targeted and why.

GHOSTBLADE UNC6353 / Ukraine ▶

Deployed by Russian-linked UNC6353 in watering-hole attacks on Ukrainian news and government websites (Dec 2025 – Mar 2026). GHOSTBLADE is a JavaScript dataminer — no backdoor, no persistent access. It rapidly collects iMessage, WhatsApp, Telegram, call logs, contacts, device identifiers, keychains, SIM info, location history, Wi-Fi passwords, photos, iCloud Drive, Notes, Calendar, Health app data, Safari history, installed apps, and crypto wallet data. Exfiltrates over HTTP/S. Deletes crash reports from the device after running.

GHOSTKNIFE UNC6748 / Saudi Arabia ▶

Deployed by threat cluster UNC6748 via a fake Snapchat website (snapshare[.]chat) targeting Saudi Arabian users in early November 2025. GHOSTKNIFE is a JavaScript backdoor — more capable than GHOSTBLADE. It exfiltrates signed-in accounts, messages, browser data, location history, and audio recordings. It communicates with its C2 server using a custom binary protocol encrypted with ECDH and AES, and actively deletes crash logs from the device.

GHOSTSABER PARS Defense / Turkey & Malaysia ▶

Deployed by Turkish commercial surveillance vendor PARS Defense — in Turkey (late Nov 2025) and Malaysia (Jan 2026). GHOSTSABER is a JavaScript backdoor that communicates over HTTP/S with a C2 server. It supports 15+ commands including device and account enumeration, file listing, data exfiltration, arbitrary JavaScript execution, and has placeholder commands for microphone recording and real-time geolocation (not yet fully implemented in observed samples).

// Data at Risk

What DarkSword Takes From Your Phone

Tap each category below to see exactly what the exploit targets. This list is drawn from the forensic file list (FORENSIC_FILES variable) found inside DarkSword’s own code by iVerify.

💬 Messages & Calls ▶

iMessage threads, WhatsApp and Telegram message data, SMS, call history, and full contact lists.

🔑 Passwords & Keychain ▶

Saved passwords and credentials from the iOS Keychain, and stored Wi-Fi network passwords (wifi_passwords.txt found in DarkSword’s own temp files).

₿ Crypto Wallets ▶

Cryptocurrency wallet app data and exchange credentials — DarkSword actively scans for all crypto-related apps using heuristics, pointing to financial motivation alongside espionage.

📍 Location & SIM ▶

Full root location history stored on the device. SIM card and cellular network data. GHOSTSABER (used by PARS Defense) also contains commands for real-time geolocation reporting.

🌐 Browsing, Notes & Health ▶

Safari browsing history, cookies and bookmarks. Notes app data. Calendar entries. Apple Health app database. Installed app list.

☁️ iCloud & Photos ▶

iCloud Drive files accessible on the device. Photos and photo metadata. Emails. Screenshots (in GHOSTKNIFE variant used in Saudi Arabia).

// Geographic Spread

Where DarkSword Was Used

Tap each country to see which threat actor was responsible, which malware payload was deployed, and the timeline of attacks. Source: Google GTIG blog.

🇸🇦

Saudi Arabia

Early November 2025 · UNC6748

GHOSTKNIFE ▶

Threat Actor

UNC6748

Delivery Method

Fake Snapchat site — snapshare[.]chat. Obfuscated JS loader, anti-debugging, redirected to real Snapchat after infection.

iOS Versions Targeted

iOS 18.4 – 18.7

Final Payload

GHOSTKNIFE

What GHOSTKNIFE Does

JavaScript backdoor. Exfiltrates accounts, messages, browser data, location history, audio recordings. Custom binary C2 protocol using ECDH+AES encryption. Deletes crash logs.

🇹🇷

Turkey

Late November 2025 · PARS Defense

GHOSTSABER ▶

Threat Actor

PARS Defense (Turkish commercial surveillance vendor)

Delivery Method

Commercial surveillance operation. Obfuscated loader and exploit stages. ECDH+AES encryption between attacker server and victim device — better OPSEC than UNC6748.

iOS Versions Targeted

iOS 18.4 – 18.7

Final Payload

GHOSTSABER

What GHOSTSABER Does

JavaScript backdoor with 15+ C2 commands: device and account enumeration, file listing, data exfiltration, arbitrary JS execution. Has placeholder commands for microphone recording and real-time geolocation.

🇺🇦

Ukraine

December 2025 – March 2026 · UNC6353

GHOSTBLADE ▶

Threat Actor

UNC6353 (Russian-linked espionage group)

Delivery Method

Watering-hole attacks on legitimate Ukrainian websites — News of Donbas news agency and the Seventh Administrative Court of Appeals in Vinnytsia. No obfuscation; full source code left exposed on servers.

iOS Versions Targeted

iOS 18.4 – 18.6 only

Final Payload

GHOSTBLADE

What GHOSTBLADE Does

JavaScript dataminer — no persistent backdoor. Rapidly collects iMessage, WhatsApp, Telegram, calls, contacts, keychains, Wi-Fi passwords, location history, Health data, crypto wallets. Exfiltrates over HTTP/S then deletes its own crash logs.

🇲🇾

Malaysia

January 2026 · PARS Defense customer

GHOSTSABER ▶

Threat Actor

PARS Defense customer (distinct from Turkey campaign)

Delivery Method

Watering-hole delivery with additional device fingerprinting logic compared to the Turkey campaign. Same uid session storage check used to avoid re-infecting prior victims.

iOS Versions Targeted

iOS 18.4 – 18.7

Final Payload

GHOSTSABER

What GHOSTSABER Does

Same GHOSTSABER JavaScript backdoor as Turkey campaign — device enumeration, file exfiltration, arbitrary JavaScript execution via C2 server commands.

World map on a screen showing global cybersecurity threat landscape — DarkSword iOS exploit was used across four countries

DarkSword campaigns ran from early November 2025 through March 2026. Google added all identified delivery domains to Safe Browsing after the disclosure. Photo: Unsplash

// Timeline of Events

From First Use to Public Disclosure

A chronological account of when DarkSword was first used, how it spread across actors, and when patches and disclosures happened.

🇸🇦

Early November 2025

Google GTIG identifies UNC6748 using DarkSword via fake Snapchat site (snapshare[.]chat) to target Saudi Arabian users. GHOSTKNIFE malware deployed. This is the earliest confirmed DarkSword activity.

🇹🇷

Late November 2025

Turkish commercial surveillance vendor PARS Defense uses DarkSword against iOS users in Turkey (iOS 18.4–18.7). GHOSTSABER backdoor deployed. Unlike UNC6748, PARS Defense obfuscated the exploit loader and used ECDH+AES encryption for delivery.

🇺🇦

December 2025

Russian-linked group UNC6353 begins embedding DarkSword in compromised Ukrainian websites — including the news agency News of Donbas and the official website for the Seventh Administrative Court of Appeals in Vinnytsia. GHOSTBLADE malware deployed. UNC6353’s use targeted only iOS 18.4–18.6, not 18.7.

🇲🇾

January 2026

A different PARS Defense customer deploys DarkSword against users in Malaysia. GHOSTSABER again used. This delivery version includes additional device fingerprinting logic.

🍎

By February 11, 2026

Apple had already patched the majority of DarkSword’s underlying vulnerabilities across several earlier iOS releases. CVE-2025-43510 and CVE-2025-43520 patched in iOS 18.7.2 / 26.1; CVE-2025-43529 and CVE-2025-14174 patched in iOS 18.7.3 / 26.2. The final CVE (CVE-2026-20700, the dyld PAC bypass) remained unpatched at this point.

📢

3 March 2026

Google and iVerify publicly disclose the Coruna iOS exploit kit — a separate, unrelated tool also deployed by UNC6353. Lookout researchers, while investigating Coruna’s infrastructure, discover DarkSword on the same servers.

🔒

18 March 2026 — Public Disclosure

Lookout, Google GTIG, and iVerify jointly publish coordinated analyses of DarkSword. Apple confirms all six CVEs are patched in iOS 26.3. Google adds all DarkSword delivery domains to Safe Browsing. UNC6353’s Ukrainian campaign was still active at time of disclosure.

// Attribution

Who Used DarkSword

Three separate threat actor groups used DarkSword — each with different delivery methods, different targets, and different final payloads. Who built DarkSword remains unknown.

Google’s GTIG attributed DarkSword campaigns to three actors. UNC6353 is a suspected Russian espionage group that also used the Coruna exploit kit. It ran watering-hole attacks on Ukrainian websites from December 2025 through March 2026, deploying GHOSTBLADE. UNC6748 used DarkSword in Saudi Arabia in early November 2025 via a fake Snapchat site, deploying GHOSTKNIFE. PARS Defense, a Turkish commercial surveillance vendor, and one of its customers used DarkSword in Turkey (November 2025) and Malaysia (January 2026), deploying GHOSTSABER.

Who created DarkSword is not known. Researchers noted the tool is entirely separate from Coruna, built by different developers. The English-language comments in DarkSword’s code — likely written to help a customer understand the tooling — suggest it passed through a commercial broker. Lookout and iVerify also found signs that large language models were used to assist in writing parts of the codebase, a pattern also seen in Coruna.

“Your experienced Russian threat actors — your APT29s of the world — I would expect them to have better OPSEC.”

— Justin Albrecht, Global Director of Mobile Threat Intelligence, Lookout

Despite its sophisticated exploit chain, the operational security around DarkSword’s deployment was poor. UNC6353 left full, unobfuscated source code on the same servers used to deliver the exploit. Google added all identified delivery domains to Safe Browsing after disclosure, blocking them in Safari.

// What To Do Now

Your iPhone Protection Checklist

Tick each step as you complete it. Apple confirmed that devices running iOS 26.3.1 or iOS 18.7.6 are not affected by the observed DarkSword variants.

0 of 4 steps completed

Update to iOS 26.3.1 — the latest release Settings → General → Software Update. Patches all six DarkSword CVEs.

If you cannot run iOS 26, update to iOS 18.7.6 at minimum iVerify confirmed iOS 18.7.6 is safe from observed DarkSword variants. Apple may release further backported patches.

Enable Lockdown Mode if you cannot update immediately Settings → Privacy & Security → Lockdown Mode. Available since iOS 16. Apple confirmed this blocks both DarkSword and Coruna.

Turn on automatic iOS updates to stay protected going forward Settings → General → Software Update → Automatic Updates → enable iOS Updates.

The Exploit Has Been Covered. Your Next Step Is Clear.

The DarkSword iOS exploit kit was discussed above in detail — how it works, which six CVEs it chains, who used it, what data it targets, and where it was deployed. Lookout, Google’s GTIG, and iVerify published their joint findings on 18 March 2026. Apple has confirmed all six vulnerabilities are patched in iOS 26.3. Devices on iOS 26.3.1 or iOS 18.7.6 are not affected by the observed variants.

Keeping software up to date on Apple devices was described by Apple as the single most important step users can take. For those interested in how technology, AI, and security intersect in 2026, our coverage of AI-driven hardware advances and AI in large-scale live events covers these themes further. The full technical analysis from Google GTIG and the iVerify breakdown are available for those who want deeper reading.

Your iPhone Could Be
Hacked Just by Browsing