DarkSword supports iOS versions 18.4 through 18.7 and utilizes six different vulnerabilities to deploy final-stage payloads.
What Google Threat Intelligence Group found
Google Threat Intelligence Group (GTIG) identified a new full‑chain iOS exploit that leverages multiple zero‑day vulnerabilities to achieve complete device compromise. Based on toolmarks in recovered payloads, GTIG said, "we believe the exploit chain to be called DarkSword." The group traces active use of the chain back to at least November 2025 and reports that multiple actors—both commercial surveillance vendors and suspected state‑sponsored operators—have employed it in distinct campaigns.
Three post‑exploitation toolsets: GHOSTBLADE, GHOSTKNIFE, GHOSTSABER
GTIG has cataloged three separate malware families deployed after a successful DarkSword compromise: GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER. These final‑stage payloads are the operational end of the exploit chain: DarkSword establishes full device control, and one of the three ghost‑named families is installed to carry out the operator’s objectives. The grouping into distinct families underscores that multiple buyers or operators are using the same exploit chain to deliver different capabilities.
Geography of operations and known actors
The campaigns identified by GTIG targeted devices in Saudi Arabia, Turkey, Malaysia, and Ukraine. The report highlights both private, commercial surveillance vendors and suspected state‑sponsored actors as users of DarkSword. Notably, UNC6353—described in the findings as a suspected Russian espionage group that previously used the Coruna iOS exploit kit—has recently incorporated DarkSword into watering‑hole campaigns, according to GTIG.
From elite tool to public leak
GTIG observed DarkSword in the wild among limited, targeted deployments. But the chain did not remain tightly held. A week after GTIG’s identification of the exploit, a version of DarkSword leaked onto the internet and began to be used more broadly. The leak materially changes risk: an exploit chain that once required specialized access can be repurposed by a far wider set of operators once its components circulate publicly.
What this means for technologists, policymakers, and end users
- Technologists and security teams: Expect multiple, distinct payloads from the same initial exploit chain; detection and response efforts should look for signs of GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER activity following any evidence of an iOS full‑chain compromise, and track public indicators tied to the leaked code.
- Policymakers and regulators: The rapid leak from a targeted exploit to wider availability amplifies questions about control of offensive cyber tools, regulation of commercial surveillance vendors, and the systemic risk when sophisticated capabilities diffuse beyond narrow user bases.
- End users and device owners: GTIG’s advisory is blunt and practical—the notice concluded, "This news is a month old. Your devices are safe, assuming you patch regularly." For individuals and organizations, timely patching of affected iOS versions is the immediate mitigation available.
The arc of DarkSword is familiar and consequential: a complex, multi‑vulnerability exploit used in targeted campaigns; adoption by multiple operators including a group previously tied to an earlier iOS kit; and then a rapid leak that turns an elite tool into a more general threat. GTIG’s timeline—use since at least November 2025, support for iOS 18.4–18.7, six vulnerabilities in the chain, three distinct final‑stage families, and a public leak one week after discovery—frames the operational reality. The record leaves a clear, narrow imperative: track the indicators GTIG released, watch for the three GHOST families in post‑compromise activity, and keep devices patched.
Source: https://www.schneier.com/blog/archives/2026/05/darksword-malware.html
