Introduction
In late 2025, Google Threat Intelligence Group (GTIG) uncovered a highly advanced iOS exploit chain dubbed DarkSword. This full-chain attack leverages multiple zero-day vulnerabilities and is believed to be government-designed due to its complexity. Since its discovery, several commercial surveillance vendors and state-sponsored actors have adopted DarkSword in distinct campaigns targeting users in Saudi Arabia, Turkey, Malaysia, and Ukraine.
Discovery and Attribution
GTIG identified DarkSword through toolmarks found in recovered payloads. The exploit chain supports iOS versions 18.4 through 18.7 and employs six distinct vulnerabilities to achieve full device compromise. The sophistication of the attack and the nature of the targets strongly suggest a government-backed origin, though no specific nation has been officially named.
Malware Families Deployed
After a successful DarkSword exploitation, GTIG observed three primary malware families being delivered:
- GHOSTBLADE – a stealthy backdoor for persistent access
- GHOSTKNIFE – a data exfiltration tool focused on sensitive information
- GHOSTSABER – a modular payload capable of executing additional commands
Threat Actors and Campaigns
DarkSword's proliferation mirrors that of the previously known Coruna iOS exploit kit. Notably, UNC6353, a suspected Russian espionage group, has integrated DarkSword into their watering hole campaigns. This group was previously associated with Coruna. The reuse of the same exploit chain by multiple threat actors highlights the growing commoditization of advanced iOS exploits.
The targeted countries—Saudi Arabia, Turkey, Malaysia, and Ukraine—indicate a mix of espionage and surveillance objectives. Commercial surveillance vendors are also known to have deployed DarkSword, suggesting it is being marketed as a service or shared within closed circles.
Leak and Wider Use
Approximately one week after darkSword was first identified, a version of the exploit chain leaked onto the internet. This leak allowed a broader set of actors to access and deploy the malware, increasing the potential attack surface. However, because the leak occurred after GTIG's disclosure, many security teams were already aware and could prepare defenses.
Mitigation and Current Status
As of now, this news is over a month old. Apple has released patches for the vulnerabilities used by DarkSword in subsequent iOS updates. Users who regularly update their devices are considered safe. The key takeaway is the critical importance of prompt patching, especially for high-risk targets such as journalists, activists, and government officials.
For a deeper dive into iOS security best practices, see our guide on keeping your iPhone secure.
What You Should Do
- Ensure your iPhone or iPad is running the latest iOS version (18.8 or later).
- Enable automatic updates in Settings > General > Software Update.
- Be cautious of suspicious links or attachments, especially if you are in a high-risk demographic.
Conclusion
DarkSword represents a significant evolution in iOS exploitation, demonstrating the lengths to which state-sponsored and commercial actors will go to compromise devices. While the immediate threat has been mitigated through patching, the incident underscores the relentless cycle of vulnerability discovery and exploitation. Staying informed and maintaining robust update habits remain the best defenses.
— Article published January 2026