DarkSword Exploit: New iOS Vulnerability Chain Targets iPhones Globally

DarkSword Exploit: New iOS Vulnerability Chain Targets iPhones Globally | Quick Digest
Security researchers have uncovered a sophisticated iOS vulnerability chain dubbed 'DarkSword' that allows attackers to compromise iPhones running iOS 18.4 to 18.7 by merely visiting a malicious website. This 'hit-and-run' exploit rapidly steals sensitive data and has been deployed by state-sponsored actors and commercial vendors in multiple countries. Apple has since released updates to patch these critical flaws.

Key Highlights

  • DarkSword exploit chain targets iPhones on iOS versions 18.4 through 18.7.
  • Compromises devices with a single click by visiting a malicious website.
  • Steals extensive sensitive data, including crypto wallet information.
  • Known for its rapid data exfiltration and self-deletion post-attack.
  • Used by suspected state-sponsored groups and commercial surveillance vendors.
  • Apple released iOS 26.3 update to patch the vulnerabilities.
A significant cybersecurity threat, dubbed 'DarkSword,' has emerged, revealing a sophisticated vulnerability chain capable of compromising iPhones running specific iOS versions. Discovered and reported by Google's Threat Intelligence Group (GTIG) along with cybersecurity firms Lookout and iVerify, this new attack pathway highlights how multiple flaws in Apple's mobile operating system can be chained together to bypass robust security measures. The DarkSword exploit primarily targets iPhones operating on iOS versions 18.4 through 18.7. The attack method is particularly concerning because it often requires minimal interaction from the user, functioning as a 'one-click' exploit. Victims merely need to visit a malicious website, which then triggers the exploit chain to gain unauthorized access to their device. The technical complexity of DarkSword involves leveraging six distinct vulnerabilities: CVE-2025-31277, CVE-2025-43529, CVE-2026-20700, CVE-2025-14174, CVE-2025-43510, and CVE-2025-43520. These vulnerabilities are exploited sequentially to achieve remote code execution, escape the browser's sandbox environment, and escalate privileges to gain deep access into the device's kernel. This multi-stage approach allows attackers to circumvent Apple's security mitigations, including Trusted Path Read-Only (TPRO) and Pointer Authentication Codes (PAC). Once compromised, DarkSword is designed for rapid data exfiltration. Researchers describe its approach as a 'hit-and-run,' collecting and transmitting a vast array of sensitive personal information within seconds to minutes before deleting its traces from the device. This quick and stealthy operation makes detection extremely difficult. The stolen data can include Wi-Fi passwords, text messages, call history, comprehensive location history, browser history, SIM card and cellular data, as well as health, notes, and calendar databases. Notably, the exploit also targets a plethora of cryptocurrency wallet applications, such as Coinbase, Binance, Kraken, Kucoin, Okx, Mexc, Ledger, Trezor, Metamask, Exodus, Uniswap, Phantom, and Gnosis Safe, indicating a potential financial motivation behind some of the attacks. The researchers have observed DarkSword being utilized by a variety of threat actors, including both commercial surveillance vendors and suspected state-sponsored groups. The exploit has been active since at least November 2025. Specific campaigns identified include: * **Ukraine:** A suspected Russian espionage group, tracked as UNC6353 (also associated with the earlier 'Coruna' exploit), deployed DarkSword in watering hole attacks. These attacks targeted Ukrainian users by compromising legitimate Ukrainian news and official government websites, serving the exploit to visitors. * **Saudi Arabia:** Another threat cluster, UNC6748, used a Snapchat-themed website, snapshare[.]chat, to target Saudi Arabian users multiple times in November 2025. * **Turkey and Malaysia:** The Turkish commercial surveillance vendor PARS Defense was observed using DarkSword against Turkish iOS users. Subsequently, a customer of PARS Defense extended these operations to target victims in Malaysia. DarkSword is not an isolated incident; it follows closely on the heels of another significant iOS exploit chain named 'Coruna,' which was disclosed earlier the same month. Coruna targeted older iOS devices, specifically those running iOS versions 13 through 17.2.1, and was also utilized by the UNC6353 group. The discovery of two such sophisticated exploit kits in a short span suggests a growing and dynamic market for high-end mobile exploits, making them accessible to groups beyond traditional state-backed actors. In response to these critical findings, Apple has acted swiftly to address the vulnerabilities. The company has released the iOS 26.3 update, which includes patches for all the identified flaws exploited by DarkSword. Furthermore, Apple has also rolled out special security updates for older iPhone models that cannot be upgraded to the latest iOS versions, ensuring that a broader range of devices receive critical fixes. Apple has reiterated the paramount importance for users to keep their software up to date as the single most effective measure to maintain the high security of their Apple devices. The Indian Computer Emergency Response Team (CERT-In) has also previously issued high-severity warnings for Apple users regarding vulnerabilities, advising immediate updates. This incident underscores the constant cat-and-mouse game between cybersecurity researchers, tech companies, and malicious actors, emphasizing the need for continuous vigilance and prompt software updates for all users globally.

Frequently Asked Questions

What is the 'DarkSword' exploit and how does it affect iPhones?

The 'DarkSword' exploit is a sophisticated chain of vulnerabilities that allows attackers to gain unauthorized access to iPhones running iOS versions 18.4 through 18.7. It can compromise a device with a 'one-click' attack, often just by visiting a malicious website, and then rapidly steal sensitive data before deleting its traces.

Which iOS versions are vulnerable to DarkSword, and what data is at risk?

iPhones running iOS versions 18.4 to 18.7 are susceptible to the DarkSword exploit. Attackers can steal a wide range of sensitive data, including messages, call history, location data, browser history, Wi-Fi passwords, credentials, and even cryptocurrency wallet information.

Who is behind the DarkSword attacks and where have they been observed?

Multiple threat actors, including suspected Russian state-sponsored groups and commercial surveillance vendors, have been using DarkSword since November 2025. Attacks have been observed targeting users in Ukraine, Saudi Arabia, Turkey, and Malaysia.

What should iPhone users do to protect themselves from DarkSword and similar exploits?

Apple strongly advises all iPhone users to update their devices to the latest iOS version, specifically iOS 26.3 or later, as these updates contain patches for the DarkSword vulnerabilities. Regularly updating software is the most critical step to maintain device security.

How does DarkSword compare to other iPhone spyware, and why is it particularly concerning?

Unlike some spyware designed for long-term surveillance, DarkSword employs a 'hit-and-run' strategy, rapidly collecting and exfiltrating data within minutes before self-deleting. This makes it challenging to detect and adds to the urgency for users to update their devices. Its ability to compromise devices with a single click and its widespread use by various threat actors make it particularly concerning.

Read Full Story on Quick Digest