Overview

DarkSword is a fully JavaScript-written iOS exploit kit that chains six distinct vulnerabilities, including three zero-days, to achieve silent one-click device takeover on unpatched iPhones. It was disclosed publicly on 18 March 2026 in a joint report by Google's Threat Intelligence Group (GTIG), Lookout, and iVerify. DarkSword has been active since at least November 2025 and has been adopted by multiple threat actors across espionage, cybercriminal, and commercial surveillance operations simultaneously.

The exploit chain targets iOS versions 18.4 through 18.7 and delivers three distinct malware families: GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER. These are capable of exfiltrating virtually every category of data from a compromised device, including credentials, cryptocurrency wallet and exchange data, iCloud files, location history, SMS messages, and Safari cookies. An estimated 220 to 270 million iPhones globally remain on vulnerable iOS versions.

What distinguishes DarkSword from previous iOS exploit frameworks is its architecture. The entire chain is written in JavaScript, enabling rapid adaptation and deployment across multiple operators with different operational objectives. State-sponsored espionage group UNC6353, suspected Russian in origin, deployed GHOSTBLADE in watering hole attacks against Ukrainian users. Separately, commercial surveillance vendor PARS Defense and financially motivated group UNC6748 deployed the same exploit chain against users in Turkey, Saudi Arabia, and Malaysia, targeting cryptocurrency wallets and mobile banking applications.

Apple patched all six vulnerabilities across iOS 18.7.2, 18.7.3, 18.7.6, and iOS 26.3. Users running iOS 26.3.1 or iOS 18.7.6 are protected. Any iPhone running iOS 18.4 through 18.7.1 remains fully vulnerable. The high proportion of unpatched devices, combined with the low user-interaction requirement of a single website visit, makes this one of the most broadly threatening iOS exploit campaigns publicly disclosed to date.

Key Details

Delivery Method – Drive-by watering hole attack. The victim visits a compromised legitimate website in Safari on an unpatched iPhone with no user interaction required beyond the page load.

Target – Individual iPhone users running iOS 18.4 through 18.7.1. Primary sectors include government, military, and civil society in Ukraine, cryptocurrency users globally, and high-value individuals in Saudi Arabia, Turkey, and Malaysia.

Functions

• Remote code execution via JavaScriptCore vulnerability chain (CVE-2025-31277, CVE-2025-43529)
• Safari GPU process sandbox escape via ANGLE memory corruption (CVE-2025-14174) with PAC bypass (CVE-2026-20700)
• Kernel privilege escalation via XNU copy-on-write bug in mediaplaybackd (CVE-2025-43510) and VFS race condition (CVE-2025-43520)
• Full device credential harvest including emails, passwords, iCloud files, contacts, SMS, call history, Wi-Fi passwords, and cellular and SIM data
• Cryptocurrency targeting with active exfiltration from Coinbase, Binance, Kraken, KuCoin, OKX, MEXC, Ledger, Trezor, MetaMask, Exodus, Uniswap, Phantom, and Gnosis Safe apps
• Safari session cookie and browsing history exfiltration
• Location history, calendar, and notes collection
• Arbitrary JavaScript code execution post-compromise via GHOSTSABER
• File exfiltration from iCloud Drive and local storage

Obfuscation – PARS Defense deployments apply ECDH and AES encryption to exploit stages and obfuscate the exploit loader. UNC6353 deployments use minimal obfuscation. All actors customise delivery logic from a shared DarkSword base.

Attack Vectors

DarkSword attacks begin entirely within the Safari browser. When a victim on a vulnerable iPhone visits a compromised legitimate website, a malicious script tag injected into the site's HTML fetches the first delivery stage from an attacker-controlled server. In UNC6353 campaigns this server is static.cdncounter[.]net. The injected script dynamically creates an IFrame that loads pe_main.js, the main orchestrator component for the entire exploit chain.

Stage 1 — Remote Code Execution in Safari: The first stage exploits two JavaScriptCore vulnerabilities to achieve RCE within the Safari browser process. CVE-2025-31277 is a type confusion bug in JavaScriptCore's JIT optimisation layer. CVE-2025-43529 is a garbage collection bug in the Data Flow Graph JIT layer. Together these provide the attacker with arbitrary read/write access within the Safari process.

Stage 2 — Sandbox Escape: CVE-2025-14174 is an out-of-bounds write in the ANGLE GPU shader translation library. It is combined with CVE-2026-20700, a dyld pointer authentication code bypass, to execute arbitrary code outside the Safari sandbox boundary.

Stage 3 — Kernel Privilege Escalation: CVE-2025-43510 is a copy-on-write bug exploited inside mediaplaybackd, an iOS system service. CVE-2025-43520 is a race condition in XNU's virtual filesystem implementation that provides physical and virtual memory read/write primitives for kernel injection.

Stage 4 — Payload Delivery: With kernel privileges secured, the orchestrator delivers the final JavaScript payload. GHOSTBLADE, GHOSTKNIFE, or GHOSTSABER is deployed depending on the threat actor. Data collection begins immediately and is exfiltrated over HTTPS to an attacker-controlled C2 endpoint.

Known Indicators of Compromise

Indicators may vary across campaigns and malware samples. Verify all IOCs against current threat feeds before actioning.

Domains

File Paths

MITRE ATT&CK Techniques

Mitigation and Prevention

iOS Update — Immediate Priority

All iPhones capable of running iOS 26.3.1 should be updated now. For older devices not eligible for iOS 26, update to iOS 18.7.6 at minimum. Any device running iOS 18.4 through 18.7.1 is fully vulnerable to the complete DarkSword exploit chain and should be considered potentially compromised if the user has visited unknown websites since November 2025.

Enable Lockdown Mode for High-Risk Individuals

Individuals at elevated risk, including journalists, government employees, activists, and cryptocurrency holders with significant assets, should activate iOS Lockdown Mode immediately. Lockdown Mode restricts Safari's JIT compilation, which directly blocks the initial JavaScriptCore exploitation stages that DarkSword depends on.

Network Blocking

Security teams should block DNS resolution and outbound connections to all confirmed DarkSword delivery domains: static.cdncounter[.]net, cdncounter[.]net, cdn.cdncounter[.]net, count.cdncounter[.]net, and sqwas.shapelie[.]com. MDM platforms should push these blocks to all managed iOS devices regardless of patch status.

Compromised Website Detection

DarkSword is delivered exclusively via compromised legitimate websites. Organisations should audit site integrity and check for injected script tags making outbound calls to unfamiliar CDN-style domains. Implementing Subresource Integrity (SRI) checks and Content Security Policy (CSP) headers will prevent script injection.

Cryptocurrency Asset Protection

Any user who visited unknown or compromised websites on an unpatched iPhone should treat all stored cryptocurrency credentials as compromised. Move assets to new wallets generated on a clean patched device, revoke existing API keys for exchange accounts, and enable hardware key 2FA on all exchange accounts before accessing them again.

Mobile Threat Detection

Deploy a mobile threat detection solution capable of identifying anomalous outbound HTTPS traffic to newly registered CDN-style domains. Lookout, iVerify, and comparable platforms published DarkSword detection signatures as part of the coordinated 18 March 2026 disclosure.

Incident Response

Any iPhone user who visited news, government, or community websites relating to Ukraine, Saudi Arabia, Turkey, or Malaysia on iOS 18.4 through 18.7.1 since November 2025 should treat the device as potentially compromised. Wipe and restore from a pre-November 2025 clean backup, or perform a full factory reset. Rotate all credentials stored in Safari Passwords, iCloud Keychain, and any cryptocurrency applications, as GHOSTBLADE exfiltrates all of these in a single pass.

Risk Assessment

DarkSword represents a significant escalation in the accessibility of iOS exploitation. Until 2025, comprehensive iOS exploit chains were largely the domain of nation-state actors with hundreds of millions of dollars in vulnerability development budgets, such as NSO Group with their Pegasus spyware. DarkSword's JavaScript-only architecture changes that situation entirely. The same exploit chain is now being shared across or licensed to at least three distinct threat actors with very different objectives, ranging from Russian state espionage against Ukrainian government targets to financially motivated cryptocurrency theft by cybercriminals.

Google GTIG estimates 220 to 270 million iPhones remain on vulnerable iOS versions, which is approximately 14% of all active iOS devices globally. The financial exposure is particularly acute. GHOSTBLADE specifically enumerates and exfiltrates data from thirteen major cryptocurrency platforms, and the GHOSTSABER backdoor provides persistent arbitrary code execution that survives beyond the initial exploitation event. The combination of spyware-grade persistence and financially motivated theft in a single framework is novel.

The watering hole delivery mechanism further complicates the threat picture. Victims do not need to download malware or respond to phishing. They simply visit a legitimate website that has been silently compromised. In UNC6353's Ukrainian campaign, government and civil society websites were the injection points, meaning high-value targets who would normally be most cautious were precisely the users most likely to be hit.

Conclusion

The single most important action is to update to iOS 26.3.1 or iOS 18.7.6 now. Every hour a device remains on a vulnerable version is an hour it can be silently compromised by a single page load. Users who cannot update immediately should enable Lockdown Mode as a partial mitigation against the initial JavaScript exploitation stages.

DarkSword signals that iOS exploit chain technology has crossed a threshold of proliferation. What was once reserved for the most sophisticated and well-funded state actors is now available to multiple operator classes simultaneously. The JavaScript-based architecture makes future variants easier to build, share, and adapt. Defenders should treat iOS patch velocity as a critical security metric alongside Windows and Linux patching programmes.

Sources

• Google GTIG – The Proliferation of DarkSword: iOS Exploit Chain Adopted by Multiple Threat Actors (March 2026)
• BleepingComputer – New DarkSword iOS exploit used in infostealer attack on iPhones (March 2026)
• SecurityWeek – DarkSword iOS Exploit Kit Used by State-Sponsored Hackers, Spyware Vendors (March 2026)
• Dark Reading – DarkSword: iPhone Exploit Kit Serves Spies & Thieves Alike (March 2026)
• The Hacker News – DarkSword iOS Exploit Kit Uses 6 Flaws, 3 Zero-Days for Full Device Takeover (March 2026)
• Malwarebytes – A DarkSword hangs over unpatched iPhones (March 2026)
• iVerify – Inside DarkSword: A New iOS Exploit Kit Delivered Via Compromised Legitimate Websites (March 2026)
• Tom's Guide – More than 220 million iPhones under attack from new DarkSword exploit (March 2026)
• CyberScoop – Second iOS exploit kit now in use by suspected Russian hackers (March 2026)