Skip to main content
Emerging ThreatsMalware & Ransomware

DarkSword Exploit Chain Spreads Across Threat Actors

Shadowy figure in hoodie sits before laptop with eerie glow, surrounded by clutter, with cityscape and damaged skyscrapers…

What happens when a single iOS exploit chain moves from one operator's toolkit into the hands of many? In late 2025 and into 2026, Google Threat Intelligence Group (GTIG) found an answer: a compact, multi-vulnerability exploit called DarkSword that has been used by a range of actors to fully compromise iPhones across several countries.

Discovery and scope: a full-chain exploit in the wild

GTIG identified DarkSword as a full-chain iOS exploit that leverages multiple zero‑day vulnerabilities to achieve complete device compromise. Based on toolmarks in recovered payloads, GTIG believes the exploit chain to be called DarkSword. The group first observed multiple users of the chain dating back to November 2025.

GTIG reported that multiple commercial surveillance vendors and suspected state‑sponsored actors have used DarkSword in distinct campaigns. The campaigns deployed the exploit against targets in Saudi Arabia, Turkey, Malaysia, and Ukraine.

Technical profile: versions, vulnerabilities, and payloads

  • Supported iOS versions: DarkSword targets devices running iOS 18.4 through 18.7.
  • Vulnerabilities: the exploit chain uses six different vulnerabilities to reach and install final‑stage payloads.
  • Final‑stage malware: GTIG identified three distinct malware families deployed after successful DarkSword compromises — GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER.
  • Patching and disclosure: GTIG reported the vulnerabilities to Apple in late 2025; all were patched with the release of iOS 26.3, though most fixes appeared prior to that release.

Campaign dynamics and actor behavior

GTIG notes that the proliferation of DarkSword across different operators mirrors an earlier pattern observed with the Coruna iOS exploit kit. In one example of overlap between exploit toolsets and actors, UNC6353, a suspected Russian espionage group previously observed using Coruna, has recently incorporated DarkSword into its watering‑hole campaigns.

GTIG worked in coordination with industry partners Lookout and iVerify on this research, and added domains involved in DarkSword delivery to Google's Safe Browsing service.

What this means for users, defenders, and policymakers

GTIG’s central guidance is straightforward and technical: update devices to the latest version of iOS. For environments where updates are not immediately possible, GTIG recommends enabling Lockdown Mode as an additional mitigation.

The facts reported by GTIG — a single exploit chain used by multiple commercial and state‑linked operators, deployment across several countries, and the emergence of multiple final‑stage malware families — underline a practical dilemma for defenders. When an exploit chain is adopted by a range of actors, the same vulnerability set can be reused in different operational contexts, broadening the impact of any single compromise. GTIG’s disclosure to Apple and the subsequent patches in iOS 26.3 illustrate the remediation path; the addition of delivery domains to Safe Browsing illustrates the network‑level response.

For policymakers and incident responders, the record here is clear: tool proliferation matters. For everyday users, the immediate takeaway is no less plain — install the security updates GTIG and its partners have identified, and enable Lockdown Mode if you cannot update right away.

If a single chain of six vulnerabilities can ferry multiple families of spyware into devices across four countries, what will the next shared exploit kit make possible?

https://cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain/