The Proliferation of DarkSword: iOS Exploit Chain Adopted by…

216.73.217.22

The Proliferation of DarkSword: iOS Exploit Chain Adopted by Multiple Threat Actors

· Published 18/03/2026 15:44 · Modified 18/03/2026 16:51

Essential information

Published: 18/03/2026 15:44
Modified: 18/03/2026 16:51
Tags: 2026-03-18 CVE-2025-14174 CVE-2025-31277 CVE-2025-43510 CVE-2025-43520 CVE-2025-43529 CVE-2026-20700 commercial surveillance coruna darksword exploit chain ghostblade ghostknife ghostsaber ios state-sponsored watering hole zero-day
Related entities: 6 vulnerabilities (cve), 4 observables, 19 techniques (mitre), 3 malware, 11 others

Description

Google Threat Intelligence Group has identified a new iOS full-chain exploit called DarkSword, which leverages multiple zero-day vulnerabilities to compromise devices running iOS 18.4 through 18.7. Since November 2025, multiple commercial surveillance vendors and suspected state-sponsored actors have been observed using DarkSword in campaigns targeting users in Saudi Arabia, Turkey, Malaysia, and Ukraine. The exploit chain utilizes six different vulnerabilities to deploy final-stage payloads, including three distinct malware families: GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER. The proliferation of DarkSword across various threat actors mirrors the previously discovered Coruna iOS exploit kit. Notable users include UNC6353, a suspected Russian espionage group, which has incorporated DarkSword into their watering hole campaigns targeting Ukrainian websites.