In March 2026, the Google Threat Intelligence Group (GTIG) released a detailed report on a sophisticated iOS full‑chain exploit known as DarkSword. The analysis reveals that multiple threat actors—from commercial surveillance vendors to suspected state‑sponsored groups—have adopted this chain to compromise devices running iOS 18.4 through 18.7. The report, published under the title DarkSword Exploit Chain Spreads Across Diverse Threat Actors, provides a comprehensive view of the TTPs, malware families, and recommended mitigations.
DarkSword Overview
DarkSword distinguishes itself by chaining six zero‑day vulnerabilities to execute kernel‑level code from pure JavaScript. The exploit chain is divided into a delivery stage, two sandbox‑escape stages, a remote code execution (RCE) stage, and a final privilege‑escalation stage. Unlike earlier kits such as Coruna, DarkSword’s payloads are delivered entirely in JavaScript, reducing the need for binary sideloading and allowing attackers to bypass Apple’s app‑store restrictions.
Actors and Geographic Reach
GTIG traced activity to at least three distinct clusters: UNC6748, targeting Saudi Arabian users via a Snapchat‑themed website; PARS Defense, a Turkish commercial surveillance vendor with campaigns in Turkey and Malaysia; and UNC6353, a suspected Russian espionage group operating watering‑hole attacks against Ukrainian sites. Each actor adapted the core DarkSword delivery logic to fit their operational needs—adding encryption, anti‑debug checks, or additional fingerprinting—yet all leveraged the same underlying exploit primitives.
Vulnerabilities and Patch Timeline
DarkSword exploits the following vulnerabilities:
- CVE-2025-31277 – memory corruption in JavaScriptCore (patched in iOS 18.6)
- CVE-2025-43529 – garbage‑collection bug in JavaScriptCore (patched in iOS 18.7.3 and 26.2)
- CVE-2026-20700 – PAC bypass in dyld (patched in iOS 26.3)
- CVE-2025-14174 – ANGLE out‑of‑bounds in Safari GPU (patched in iOS 18.7.3 and 26.2)
- CVE-2025-43510 – XNU copy‑on‑write bug (patched in iOS 18.7.2 and 26.1)
- CVE-2025-43520 – XNU VFS race condition (patched in iOS 18.7.2 and 26.1)
Apple notified GTIG in late 2025 and subsequently released iOS 26.3, which addressed all remaining vulnerabilities. Nonetheless, devices running unpatched iOS 18.4–18.7 remain vulnerable.
Malware Families
After successful exploitation, GTIG observed three final‑stage payloads:
- GHOSTKNIFE – a backdoor written in JavaScript that exfiltrates accounts, messages, and media while encrypting traffic with ECDH/AES.
- GHOSTSABER – a versatile backdoor used by PARS Defense, capable of enumerating devices, listing files, executing arbitrary JavaScript, and sending screenshots or location data. It employs a custom binary protocol over HTTP(S).
- GHOSTBLADE – a dataminer focused on collecting communications, contacts, location history, and financial data. It lacks advanced C2 features but deletes crash logs to cover its tracks.
Indicators of Compromise
Security analysts should monitor for the following indicators:
- Domains:
snapshare[.]chat (UNC6748), e5.malaymoil[.]com (PARS Defense), static.cdncounter[.]net (UNC6353) - IP addresses:
62[.]72[.]21[.]10 (GHOSTKNIFE C2), 72[.]60[.]98[.]48 (GHOSTKNIFE C2), sahibndn[.]io (PARS Defense) - File hashes: 2e5a56beb63f21d9347310412ae6efb29fd3db2d3a3fc0798865a29a3c578d35 (GHOSTBLADE sample)
Mitigation Recommendations
- Apply iOS updates immediately. Devices running iOS 18.4–18.7 should upgrade to iOS 26.3 or later. If an update is not feasible, enable Lockdown Mode to restrict background services and reduce attack surface.
- Block known malicious domains. Use enterprise or cloud‑based safe‑browsing lists to quarantine snapshare[.]chat, e5.malaymoil[.]com, and static.cdncounter[.]net.
- Monitor network traffic for suspicious HTTP(S) requests. Look for encrypted payloads originating from the IOC IPs listed above and for patterns matching the YARA rules provided by GTIG.
- Implement endpoint detection and response (EDR). Detect anomalous process creation, file writes under /tmp, and deletion of crash logs, which are typical of GHOSTKNIFE, GHOSTSABER, and GHOSTBLADE.
- Educate users. Warn employees about phishing sites that mimic Snapchat, or other legitimate services, and encourage the use of secure browsers that do not allow JavaScript execution in the background.
Outlook
The rapid proliferation of DarkSword across actors of varying motivations underscores the need for coordinated industry efforts. GTIG continues to collaborate with partners such as Lookout, iVerify, and Apple Security Engineering to patch vulnerabilities and share indicators. By enforcing timely updates, tightening network defenses, and monitoring for the signatures described above, organizations can significantly reduce the risk posed by DarkSword and similar exploit chains.

