DarkSword iOS Exploit Unleashed: Six Zero-Day Vulnerabilities Weaponized by State Actors
A sophisticated iOS exploit chain, dubbed DarkSword, has been actively targeting devices running iOS versions 18.4 through 18.7 since at least November 2025. The chain, identified by Google Threat Intelligence Group (GTIG), employs six zero-day vulnerabilities in a single full-chain exploit to deliver final-stage payloads.
"This is one of the most advanced iOS exploit chains we’ve observed to date," said a GTIG spokesperson. "The use of six separate zero-days in a coordinated attack chain suggests a highly resourced developer, likely with government backing."
Multiple commercial surveillance vendors and suspected state-sponsored actors have deployed DarkSword in distinct campaigns across Saudi Arabia, Turkey, Malaysia, and Ukraine. GTIG has linked the exploit to three malware families—GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER—which are dropped post-compromise.
One week after GTIG identified DarkSword, a version of the exploit chain leaked onto the open internet, enabling broader misuse beyond the initial threat actors. The leak has raised concerns about a surge in attacks against unpatched iOS devices worldwide.
GTIG notes that the threat group UNC6353, a suspected Russian espionage team previously observed using the Coruna iOS exploit kit, has now integrated DarkSword into their watering hole campaigns.
Background
DarkSword is a full-chain iOS vulnerability exploit that Google believes was designed by a government entity. It requires no user interaction and silently compromises devices through a chain of six distinct zero-day vulnerabilities. GTIG recovered toolmarks in payloads that led to the naming convention.
The exploit supports iOS versions 18.4 through 18.7 and utilizes six separate zero-day vulnerabilities to achieve kernel-level access and bypass security mitigations. This mirrors the earlier Coruna exploit kit, which also saw widespread adoption across multiple threat actors. You can read more about previous iOS exploit trends in our analysis section.
What This Means
For ordinary iPhone users, the immediate risk is low—provided you have installed all available iOS updates. Apple has likely patched the vulnerabilities exploited by DarkSword in the months since its discovery. However, the leak of the exploit chain means that even less sophisticated actors may now attempt to use it against older, unpatched devices.
Organizations with high-value targets—journalists, activists, diplomats, or corporate executives—should ensure all iOS devices are updated to the latest version immediately. GTIG recommends enabling automatic updates and using device management tools to enforce patch compliance.
The proliferation of DarkSword mirrors a troubling trend: advanced, government-grade exploits are leaking into the broader cybercriminal ecosystem. This lowers the barrier for espionage and surveillance operations. As GTIG states, "Vigilant patching remains the single most effective defense against zero-day exploits."
Given that this news is already a month old, most users are likely safe if they update regularly. Check your iOS version and install any pending updates now.