DarkSword iOS Exploit Chain: Analyzing Multi-Actor Zero-Day Campaigns

Google Threat Intelligence Group (GTIG) has disclosed a sophisticated Zero-Day CVE chain, identified as DarkSword, which has been weaponized by multiple distinct clusters since late 2025. According to Google Threat Intelligence, this full-chain exploit has been adopted by commercial surveillance vendors and an APT cluster suspected of state-sponsored espionage. The proliferation of this kit mirrors the earlier Coruna exploit kit, highlighting a growing trend where high-end mobile exploits are distributed across disparate threat actors targeting users in Saudi Arabia, Turkey, Malaysia, and Ukraine.

Analyzing the DarkSword iOS Exploit Chain

The DarkSword chain is technically distinct because it utilizes pure JavaScript for all stages, from initial RCE to the final Privilege Escalation. This approach allows the attackers to bypass modern mitigations like Page Protection Layer (PPL) and Secure Page Table Monitor (SPTM) by remaining within the JavaScript runtime environment until kernel-level control is achieved.

The exploit sequence begins with a remote code execution vulnerability in JavaScriptCore. On devices running versions prior to iOS 18.6, the chain leverages CVE-2025-31277. For newer iterations (iOS 18.6–18.7), attackers utilized CVE-2025-43529, a garbage collection bug in the Data Flow Graph JIT layer. These are combined with CVE-2026-20700, a zero-day Pointer Authentication Code (PAC) bypass in dyld, which is necessary to transition into native code execution and further exploit stages.

Following RCE, the chain executes two sandbox escapes. The first, CVE-2025-14174, targets ANGLE to move from the WebContent sandbox to the GPU process. The second escape, CVE-2025-43510, exploits an XNU memory management flaw to reach the mediaplaybackd service. The final stage uses CVE-2025-43520, a kernel race condition in the virtual filesystem (VFS), to grant the attacker full physical memory read/write access.

How to Detect GHOSTBLADE Malware and Related Payloads

Once the kernel is compromised, different actors deploy unique final-stage payloads. GTIG identified three primary malware families associated with DarkSword:

• GHOSTKNIFE: Deployed by UNC6748 via Snapchat-themed Phishing sites. This backdoor uses a custom encrypted binary protocol for its C2 communications and can exfiltrate messages, location history, and live audio recordings.
• GHOSTSABER: Utilized by the Turkish vendor PARS Defense. This JavaScript-based backdoor features an ExecuteSqliteQuery command that allows attackers to query any SQLite database on the device, including those belonging to secure messaging apps.
• GHOSTBLADE: Employed by the suspected Russian espionage actor UNC6353 in watering hole attacks targeting Ukrainian government and civil society websites.

Security teams can identify these threats by monitoring for specific IoC artifacts. GHOSTBLADE, for instance, writes specific file paths such as /private/var/tmp/wifi_passwords.txt and performs cleanup of crash reports in /private/var/containers/Shared/SystemGroup/systemgroup.com.apple.osanalytics/DiagnosticReports/. Notably, GHOSTBLADE source code contained a reference to a function named startSandworm(), potentially linking it to broader Russian operations such as those attributed to Sandworm.

Mitigation and Defense Recommendations

To ensure effective iOS 18.7 zero-day vulnerability mitigation, organizations must prioritize the following actions:

1. System Updates: Immediately upgrade all mobile assets to iOS 26.3 or later. This version contains the comprehensive patches for the PAC bypass and the XNU kernel race conditions used in the DarkSword chain.
2. Lockdown Mode: For high-risk individuals within the SOC remit, enabling Apple’s Lockdown Mode provides a significant layer of defense by reducing the browser’s attack surface, specifically disabling the JIT optimizations targeted by DarkSword.
3. Network Monitoring: Block known delivery domains, including snapshare[.]chat, static.cdncounter[.]net, and sqwas.shapelie[.]com, within corporate EDR and gateway solutions.