The DarkSword iOS exploit has shifted from rare targeted attacks to indiscriminate global campaigns, leaving hundreds of millions of iPhones vulnerable to data theft and espionage. This six-vulnerability exploit chain represents the second major iOS compromise kit discovered in recent months, following Coruna, and marks a dangerous escalation in how attackers are weaponizing iPhone flaws.
Key Takeaways
- DarkSword uses six chained vulnerabilities to fully compromise vulnerable iPhones and deploy persistent backdoors.
- Targets iPhones running iOS 18.4 to 18.7; hundreds of millions of unpatched devices remain at risk.
- Active since November 2025 in campaigns by Russian state actors, Chinese-linked groups, and commercial surveillance vendors.
- Deploys three malware families (GHOSTBLADE, GHOSTKNIFE, GHOSTSABER) that steal messages, location, photos, crypto wallets, and recordings in seconds.
- Spreads via malicious websites using Safari browser; no download or user interaction beyond clicking a link required.
How DarkSword iOS exploit Works
The DarkSword iOS exploit operates as a hit-and-run attack, extracting sensitive data within seconds or minutes before cleaning up all traces. A user visits a compromised or malicious website, often through an iFrame or JavaScript fingerprinting, and Safari automatically triggers the first vulnerability. From there, the exploit chain escalates rapidly.
The attack chains CVE-2025-31277 or CVE-2025-43529 (depending on iOS version) to achieve remote code execution within Safari, then leverages CVE-2026-20700, a dyld pointer authentication code bypass, for arbitrary code execution. The remaining three vulnerabilities grant kernel privileges and full system access, allowing the attackers to install backdoor malware. Google Threat Intelligence Group confirmed that DarkSword uses six different vulnerabilities to fully compromise a vulnerable iOS device.
Unlike traditional malware that requires downloads or persistent installation, the DarkSword iOS exploit operates fileless—it uses the device’s own processes to extract data and vanish. Lookout researchers described the tactic as extracting information within seconds or, at most, minutes before cleaning up. This ephemeral approach makes detection extraordinarily difficult.
Which iPhones Are Vulnerable
iPhones running iOS 18.4 through 18.7 face the highest risk, though some campaigns have targeted devices on iOS 18.6.2. Apple has patched the most critical vulnerabilities in iOS 18.7.2, 26.1, and 26.3, but hundreds of millions of users remain on older, unpatched versions. The scale of vulnerable devices is staggering—roughly a quarter of all iPhones globally still run iOS 18 or earlier, according to security researchers.
The DarkSword iOS exploit has been observed in active campaigns targeting users in Saudi Arabia, Turkey, Malaysia, and Ukraine. One notable attack leveraged a compromised Ukrainian government server, while another spoofed Snapchat to distribute the payload. This geographic spread signals that the exploit is no longer confined to targeted espionage—it is now a commodity tool used by multiple threat actors.
What DarkSword iOS exploit Steals
The exploit deploys three malware families with escalating capabilities. GHOSTBLADE is the least sophisticated, offering basic functionality without persistent backdoor features. GHOSTKNIFE, the primary payload, is JavaScript-based and harvests account credentials, text messages, browser data, precise location coordinates, call recordings, screenshots, downloaded files, and microphone audio. GHOSTSABER represents the third variant, though fewer technical details are publicly available.
Both tools can be used for espionage as well as financial theft, according to Lookout. Attackers can extract cryptocurrency wallet credentials, banking passwords, and identity documents within the seconds-long window before the malware erases itself. The speed of exfiltration is the exploit’s defining feature—victims have no time to notice unusual device behavior.
DarkSword vs. Coruna: Two Sides of the Same Threat
DarkSword follows Coruna, an iOS exploit kit discovered approximately one month earlier, which used more robust loading mechanisms and supported broader iOS versions. Coruna was observed in campaigns by UNC6353, a Russian espionage group, while DarkSword has proliferated across Russian state actors, Chinese-linked groups, and commercial surveillance vendors. DarkSword is less technically sophisticated than Coruna but spreads more widely, suggesting it has become a shared tool across threat ecosystems.
The emergence of two major iOS exploit kits within weeks signals a dangerous shift: iPhones are no longer immune to the kind of widespread, indiscriminate compromise that Android users have faced for years. Where iOS exploits were once rare and targeted at journalists or political figures, they are now being deployed in waterhole attacks that snare any visitor to a compromised website.
Patching and Mitigation
Apple addressed the most critical vulnerabilities in iOS 18.7.2 and subsequent releases, including iOS 26.1 and 26.3. However, patch adoption remains sluggish—millions of users delay updates due to performance concerns, storage constraints, or simple inattention. Until those users upgrade, they remain exposed.
The immediate mitigation is straightforward: update to the latest iOS version immediately. Avoid clicking suspicious links, even from seemingly trusted sources, as the DarkSword iOS exploit requires only a visit to a malicious website. Consider disabling JavaScript in Safari settings if you frequently visit untrusted sites, though this may break functionality on legitimate websites. Security researchers recommend treating any unexpected link with extreme caution.
Why This Matters Now
The globalization of DarkSword represents a watershed moment for iOS security. For years, Apple marketed iPhones as inherently safer than Android because exploits were rare and targeted. That argument is now obsolete. The DarkSword iOS exploit kit is being sold and deployed by multiple threat actors, from state-sponsored groups to commercial surveillance vendors, in real-world campaigns just months after its discovery. This is not a theoretical vulnerability—it is actively compromising devices today.
Is DarkSword affecting me right now?
Unless you have visited a malicious website recently, you are unlikely to be infected. However, if you are on iOS 18.7 or earlier and visit websites in high-risk categories (news, government, finance, activism), your risk is elevated. Check your iOS version in Settings > General > About and update immediately if you are below 18.7.2 or 26.1.
How can I tell if my iPhone has been compromised by DarkSword?
Detection is nearly impossible because the DarkSword iOS exploit cleans up after itself within minutes. However, if you notice unusual battery drain, unexpected data usage spikes, or strange network activity immediately after visiting a suspicious link, your device may have been targeted. Restore from a clean backup or perform a factory reset if you suspect compromise.
Will Apple release a security update for older iPhones?
Apple has patched the vulnerabilities in current iOS versions, but older iPhone models that cannot run the latest iOS will remain vulnerable indefinitely. This is why upgrading to a newer device or at minimum updating to the highest iOS version your device supports is critical.
The DarkSword iOS exploit represents a permanent shift in the threat landscape. iPhones are no longer a sanctuary from widespread malware campaigns. Users who delay patching or run outdated iOS versions are now exposed to the same indiscriminate, global attacks that have plagued Android for a decade. The time to update is now—waiting is no longer a reasonable option.
This article was written with AI assistance and editorially reviewed.
Source: Tom's Guide
