DarkSword: iOS Exploit Chain Adopted by Multiple Threat Actors
3 hours ago
- #Cyber Espionage
- #iOS Exploit
- #Zero-Day Vulnerabilities
- Google Threat Intelligence Group (GTIG) identified a new iOS full-chain exploit called DarkSword, used by multiple threat actors.
- DarkSword exploits six vulnerabilities to compromise iOS devices (versions 18.4-18.7) and deploy malware like GHOSTKNIFE, GHOSTSABER, and GHOSTBLADE.
- Threat actors using DarkSword include UNC6748 (targeting Saudi Arabia), PARS Defense (Turkey and Malaysia), and UNC6353 (Russia-linked, targeting Ukraine).
- DarkSword's exploit chain includes remote code execution (RCE), sandbox escapes, and privilege escalation, leveraging vulnerabilities like CVE-2025-31277 and CVE-2025-43529.
- GTIG reported vulnerabilities to Apple, which were patched in iOS 26.3. Users are urged to update devices or enable Lockdown Mode.
- DarkSword's proliferation mirrors the Coruna exploit kit, highlighting risks of spyware misuse across geopolitical boundaries.
- GTIG collaborated with Lookout, iVerify, and Apple to investigate and mitigate DarkSword-related threats.