{
  "name": "The Proliferation of DarkSword: iOS Exploit Chain Adopted by Multiple Threat Actors",
  "slug": "the-proliferation-of-darksword-ios-exploit-chain-adopted-by-multiple-threat-actors",
  "description": "Google Threat Intelligence Group has identified a new iOS full-chain exploit called DarkSword, which leverages multiple zero-day vulnerabilities to compromise devices running iOS 18.4 through 18.7. Since November 2025, multiple commercial surveillance vendors and suspected state-sponsored actors have been observed using DarkSword in campaigns targeting users in Saudi Arabia, Turkey, Malaysia, and Ukraine. The exploit chain utilizes six different vulnerabilities to deploy final-stage payloads, including three distinct malware families: GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER. The proliferation of DarkSword across various threat actors mirrors the previously discovered Coruna iOS exploit kit. Notable users include UNC6353, a suspected Russian espionage group, which has incorporated DarkSword into their watering hole campaigns targeting Ukrainian websites.",
  "published": "2026-03-18T14:44:33+00:00",
  "created_at": "2026-03-18T14:44:33+00:00",
  "modified_at": "2026-03-18T15:51:15+00:00",
  "created_at_opencti": "2026-03-18T14:44:33+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2026-03-18",
    "CVE-2025-14174",
    "CVE-2025-31277",
    "CVE-2025-43510",
    "CVE-2025-43520",
    "CVE-2025-43529",
    "CVE-2026-20700",
    "commercial surveillance",
    "coruna",
    "darksword",
    "exploit chain",
    "ghostblade",
    "ghostknife",
    "ghostsaber",
    "ios",
    "state-sponsored",
    "watering hole",
    "zero-day"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "https://static.cdncounter.net/assets/index.html"
      },
      {
        "id": "",
        "name": "https://static.cdncounter.net/widgets.js?uhfiu27fajf2948fjfefaa42"
      },
      {
        "id": "",
        "name": "https://snapshare.chat/"
      },
      {
        "id": "",
        "name": "2e5a56beb63f21d9347310412ae6efb29fd3db2d3a3fc0798865a29a3c578d35"
      }
    ],
    "malware": [
      {
        "id": "fbc8f15f-fedb-4d99-a19d-e6eb6b41f155",
        "name": "GHOSTBLADE",
        "slug": "ghostblade"
      },
      {
        "id": "f4efbcda-0d69-4428-b70c-b704305eab4a",
        "name": "GHOSTKNIFE",
        "slug": "ghostknife"
      },
      {
        "id": "f2f2de0a-0fe7-4aa4-abdf-3a7a1f08f6f6",
        "name": "GHOSTSABER",
        "slug": "ghostsaber"
      }
    ],
    "attack_patterns": [
      {
        "id": "c473a756-355a-42ad-a0df-cd3a8fa006d1",
        "name": "T1057"
      },
      {
        "id": "16e4fc82-7c0b-4d1a-b784-b804b4df26dc",
        "name": "T1204.001"
      },
      {
        "id": "67c697ce-a6cc-475f-9bee-e14c1bef7067",
        "name": "T1047"
      },
      {
        "id": "9322d33b-00c1-4f99-9f1a-a33d93c0dac2",
        "name": "T1059.007"
      },
      {
        "id": "667462db-9031-48eb-893a-05d35f9330a7",
        "name": "T1056.001"
      },
      {
        "id": "f48eade0-2f45-4ff7-aa61-8ba887887f81",
        "name": "T1123"
      },
      {
        "id": "64cdebc9-0fb4-48f2-bf4f-b87f3741f664",
        "name": "T1068"
      },
      {
        "id": "743d2e0c-e5d5-4ccb-a6bd-0035c4e88c37",
        "name": "T1176"
      },
      {
        "id": "97d377d8-89c7-48f8-a79f-0f48bd60df74",
        "name": "T1005"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "6c8f8a40-2746-4a37-86bd-81e82afa6e62",
        "name": "T1190"
      },
      {
        "id": "88fa397b-4cc9-42c0-b52d-4108f9630529",
        "name": "T1095"
      },
      {
        "id": "5b7c66d1-0466-4ba7-af6f-eb82c2f9d05b",
        "name": "T1033"
      },
      {
        "id": "d955a391-6fd0-4eb2-8767-973c39c761e0",
        "name": "T1120"
      },
      {
        "id": "e1b18ecf-d74e-4fe6-9bd4-ca6a62e7d818",
        "name": "T1027.002"
      },
      {
        "id": "7e5fbc10-b908-4ce8-8ba8-9fd70790c6ae",
        "name": "T1562.004"
      },
      {
        "id": "45082a8e-9c79-470e-ad1b-decac7188e8f",
        "name": "T1083"
      },
      {
        "id": "8e0fea81-4d54-4e88-a7dd-3aa8b26558ed",
        "name": "T1113"
      },
      {
        "id": "e46a9411-d2a1-47c9-8820-c7f818f4c0b5",
        "name": "T1203"
      }
    ],
    "vulnerabilities": [
      {
        "id": "",
        "name": "CVE-2025-14174"
      },
      {
        "id": "",
        "name": "CVE-2026-20700"
      },
      {
        "id": "",
        "name": "CVE-2025-43520"
      },
      {
        "id": "",
        "name": "CVE-2025-43510"
      },
      {
        "id": "",
        "name": "CVE-2025-31277"
      },
      {
        "id": "",
        "name": "CVE-2025-43529"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Saudi Arabia"
      },
      {
        "id": "",
        "name": "Malaysia"
      },
      {
        "id": "",
        "name": "Ukraine"
      },
      {
        "id": "",
        "name": "Government"
      },
      {
        "id": "",
        "name": "0x436cc4.open"
      },
      {
        "id": "",
        "name": "sqwas.shapelie.com"
      },
      {
        "id": "",
        "name": "snapshare.chat"
      },
      {
        "id": "",
        "name": "sahibndn.io"
      },
      {
        "id": "",
        "name": "static.cdncounter.net"
      },
      {
        "id": "",
        "name": "e5.malaymoil.com"
      },
      {
        "id": "",
        "name": "0x1fedd2.open"
      }
    ]
  },
  "external_refs": [
    "https://otx.alienvault.com/pulse/69bac861fe18a3b724f976fe",
    "https://cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain"
  ]
}