What is DarkSword? The iOS exploit kit targeting vulnerable iOS versions

What is DarkSword?

DarkSword is a full-chain iOS exploit kit that Google Threat Intelligence Group (GTIG) identified in attacks against iPhone users. In simple terms, it was a toolkit hackers used for turning a malicious web page load into broader access to a vulnerable iPhone.

An exploit is a way to abuse a software flaw. An exploit kit is a collection of those attack tools. A full-chain exploit means several flaws are used together, one after another, because one bug is usually not enough to fully compromise a modern iPhone.

That context helps clear up a common confusion. DarkSword is linked to iPhone spyware campaigns, but it is not exactly the same thing as the final spyware. Think of DarkSword as the break-in tool. After the break-in, attackers could run a payload, which is the malware or malicious code that performs the next task, such as stealing data or keeping access to the device.

DarkSword was also delivered through watering hole attacks. A watering hole attack is when attackers compromise or imitate a website that a specific group of people is likely to visit. If a vulnerable iPhone loaded one of those pages, the attack could start in the background without a normal app download prompt.

At the time of discovery, DarkSword used several then-zero-day flaws and other vulnerabilities. A zero-day exploit is an attack that uses a flaw before a fix is available. Now that Apple has released fixes, phrases like “iPhone zero day exploit” describe the original attacks, not the current patched state.

DarkSword exploit discovery timeline

GTIG publicly disclosed DarkSword on March 18, 2026, but attackers had used it earlier. Since at least November 2025, several groups had used the DarkSword iOS exploit kit in separate campaigns targeting users in Saudi Arabia, Turkey, Malaysia, and Ukraine.

The first known case involved UNC6748, a threat cluster targeting users in Saudi Arabia. A threat cluster is a group of related activity that researches track, even when they may not know the real people behind it. Attackers used a Snapchat-themed website to load DarkSword and then deliver GHOSTKNIFE.

GTIG later observed DarkSword activity linked to PARS Defense, a Turkish commercial surveillance vendor, and UNC6353, a suspected Russian espionage group previously associated with Coruna  — another iOS exploit kit. These campaigns targeted users in Turkey, Malaysia, and Ukraine, and used different final-stage payloads.

The important part is how quickly the same exploit kit appeared across different campaigns. By the time DarkSword became public, several groups had already used it with different targets and payloads. That makes DarkSword more than an isolated attack against iPhones. It shows how advanced exploit tools can spread from one campaign to another.

How does DarkSword work?

DarkSword can turn a simple page visit into a path toward device compromise — but only if the iPhone is running a vulnerable, outdated iOS version.

The attacker does not start with an app installation. It starts in the browser. A target visits a compromised or attacker-controlled website, and hidden code on the page checks whether the iPhone looks vulnerable. If it does, the page can load the next part of the DarkSword iOS exploit.

From there, the attack moves in stages. First, it targets the browser, because that is the part of the phone handling the web page. Then it tries to escape the browser’s safety restrictions — also called a sandbox. A sandbox is meant to keep risky web content away from more sensitive parts of the device.

If the sandbox escape works, the attack can move deeper into iOS. That gives the final malware more room to collect data, stay active, or carry out other actions. A DarkSword iOS exploit diagram would show the attack moving from a visited web page, to browser-stage code execution, to sandbox escape, to kernel-level access, and finally to a payload running on the device.

That is why the question of whether an iPhone can get malware needs a careful answer. iOS has strong built-in protections, but advanced exploit chains can still break through when they target unpatched vulnerabilities.

The DarkSword iOS exploit chain

The DarkSword iOS exploit chain worked like a series of locked doors. Each vulnerability helped the attackers open one more door, moving from the browser to the deeper device access needed to run a final payload.

You do not need to memorize every CVE number to understand the risk. A CVE is a public tracking number for a known cybersecurity vulnerability — basically, a way for researchers and vendors to refer to the same flaw clearly. In DarkSword’s case, those CVEs pointed to weaknesses in parts of iOS that handle web pages, graphics, security checks, and system permissions.

One flaw started the attack in the browser. Other flaws helped it get around Apple’s safety barriers and gain the privileges needed to run malware. That is what makes DarkSword a “chain”: it did not rely on one bug, but connected several bugs together to move deeper into the device.

You may see names like JavaScriptCore, dyld, ANGLE, and XNU in the original research. These are parts of iOS that help handle web pages, graphics, app loading, and core system functions. You do not need to know each one in detail to understand the risk. The important point is that DarkSword moved through several layers of iPhone security, not just one weak spot.

Apple has since patched the vulnerabilities used by DarkSword. That is why an updated iPhone is much harder to target with this specific chain. An outdated iPhone, especially one running an affected iOS version, carries more risk.

Final payloads

After a successful compromise, DarkSword could run a final payload on the iPhone. In this context, a payload is the malware that runs after the exploit succeeds and decides what the attacker can do next.

Researchers identified three final-stage malware families in the documented DarkSword campaigns:

1. 1.GHOSTBLADE: An information-stealing JavaScript payload linked to UNC6353, the suspected Russian espionage group. It could collect and exfiltrate personal, device, browser, communication, and cryptocurrency wallet-related data from compromised iPhones.
2. 2.GHOSTKNIFE: A JavaScript backdoor linked to UNC6748, a threat cluster associated with DarkSword activity targeting Saudi Arabian users. It could collect account data, messages, browser data, location history, and recordings. It could also download files from its command-and-control server, take screenshots, record audio, and erase crash logs.
3. 3.GHOSTSABER: A JavaScript payload linked to PARS Defense, the Turkish surveillance vendor. It could identify devices and accounts connected to the target, list files, exfiltrate data, run SQL queries, and execute arbitrary JavaScript code.

This does not mean DarkSword can only deliver these three payloads. DarkSword creates the access, but the attacker decides what to run after the compromise. Future attacks that reuse DarkSword code could deliver different malware.

What can DarkSword do?

DarkSword’s main danger is that it can help attackers get past the usual limits of a web page. A normal website should not be able to reach deep into your iPhone, read private data, or help malware keep running. DarkSword was dangerous because it gave attackers a way to move beyond the browser on vulnerable devices.

What happens after that depends on the final malware the attacker chooses to run. In the campaigns described by researchers, those final payloads focused on surveillance, data theft, and backdoor-style access. In plain terms, that means a compromised iPhone could expose information such as account details, messages, browser data, files, contacts, call logs, location history, device information, and cryptocurrency-related data.

Some of the observed malware could also take more active steps. Depending on the payload, attackers could take screenshots, record audio, download files from a server they controlled, run commands, or delete crash logs to make the attack harder to investigate.

That does not mean DarkSword could automatically empty every crypto wallet or take over every iPhone it touched. The risk depended on the iOS version, the exploit stage that worked, the final payload, and what data was available on the device. Still, the impact could be serious because the attack started from something as ordinary as visiting a web page.

That is why DarkSword matters even if you are not a cybersecurity expert. It shows that iPhone malware is not always about suspicious apps or obvious scam links. In rare, targeted cases, an outdated iPhone can be exposed through the browser — and the real damage starts after the attacker gets deeper access.

Who is behind DarkSword?

DarkSword was initially linked to several actors in campaigns targeting users in Saudi Arabia, Turkey, Malaysia, and Ukraine. GTIG described the wider activity as involving commercial surveillance vendors and suspected state-sponsored actors.

The original campaigns matter for attribution. They show who used DarkSword when researchers documented the activity, which regions were targeted, and how the exploit kit spread across different groups.

The current risk is broader because exploit code has reportedly become public, meaning other actors may be able to reuse or adapt it against outdated iPhones.

GTIG connected three groups to the documented DarkSword campaigns, each with a different targeting context and final-stage payload:

• UNC6748: A threat cluster linked to the Saudi Arabia campaign. It used a Snapchat-themed website to target users in Saudi Arabia.
• PARS Defense: A Turkish commercial surveillance vendor linked to DarkSword activity in Turkey and Malaysia.
• UNC6353: A suspected Russian espionage group linked to campaigns targeting Ukrainian users through compromised websites. GTIG had previously associated the same group with Coruna, an earlier iOS exploit kit.

In other words, the documented operators explain where DarkSword was first seen. They do not define the full risk today, because public exploit code can widen the pool of potential users.

How can you spot possible DarkSword exposure?

Start with this: most strange iPhone behavior is not DarkSword. Battery drain, heat, crashes, and slowdowns usually have normal explanations. Still, if your iPhone runs an affected older iOS version and something suspicious happened while browsing, it is worth taking the signs seriously.

If you suspect a DarkSword attack on your iPhone, look for warning signs in combination rather than one clear proof:

• Unusual account activity: Sudden security alerts, unexpected login attempts, password reset emails, or unfamiliar devices connected to important accounts.
• Strange browser behavior: Unexpected redirects, repeated crashes after visiting a specific page, or unusual activity after opening a link from a site that seemed legitimate.
• Device instability: Overheating, battery drain, slowdowns, or unexpected reboots that begin after you visit an unusual page.
• Messaging or cloud-service issues: Odd behavior around iMessage, mail, cloud storage, or messaging apps, especially if sensitive accounts show activity you do not recognize.

None of these signs confirms DarkSword exposure on its own. They are more concerning if your iPhone runs an affected older iOS version, the problems started after suspicious browsing activity, or you are someone attackers may have a reason to target — such as a journalist, activist, government worker, execute, researcher, or person handling sensitive information.

If the concern is serious, avoid wiping the phone immediately. Write down what happened, save the suspicious link if you can do so safely, review important accounts from a different trusted device, and contact a trusted security professional or your organization’s security team. For everyday prevention, start with basic iPhone security best practices before moving into more advanced protections.

How to protect your iPhone from DarkSword

Your first move should be simple — update your iPhone. DarkSword targeted vulnerable iOS versions, and Apple has patched the flaws used in the chain.

If you are a high-risk user, consider lockdown mode. Apple built this mode for people who may be personally targeted by sophisticated digital attacks, such as journalists, activists, government staff, and people with access to sensitive information. The lockdown limits certain web features, media handling, messages, and connections, reducing the attack surface.

Be careful with links, even when a website looks familiar. DarkSword showed why this advice still matters — attackers do not always need to send a strange file or ask you to install an app. Avoid unknown redirects, repeated browser crashes, and apps or configuration profiles you do not recognize.

Use security tools as extra protection, not as a promise that they will detect DarkSword. On iOS, NordVPN’s Threat Protection can help block unsafe domains while you are connected to the VPN. On supported desktop devices, Threat Protection Pro™ can help block malicious links, phishing pages, trackers, and malware downloads. Advanced iPhone spyware may still require investigation by a specialist.

If you think your iPhone was targeted, restart it, install the latest iOS update, review account logins, change important passwords from a trusted device, and check for unknown configuration profiles. A guide on how to remove malware from iPhone can help with basic cleanup steps, but targeted spyware concerns should be handled carefully.