State-Sponsored Hackers and Spyware Vendors Utilize DarkSword iOS Exploit Kit for Malicious Activities
Sophisticated iOS Exploit Kit ‘DarkSword’ Used by State-Backed Actors and Commercial Surveillance Vendors
A newly discovered iOS exploit kit, dubbed DarkSword, has been found to be used by both state-backed actors and commercial surveillance vendors. This sophisticated kit targets six vulnerabilities in Apple’s mobile platform, leading to full device compromise with minimal user interaction.
Research and Discovery
Research by iVerify, Google, and Lookout revealed that DarkSword shares infrastructure with another exploit kit, Coruna, which was previously used in watering hole attacks against Ukraine. The discovery suggests that both kits are part of the same threat actor’s arsenal.
Technical Details
DarkSword, written entirely in JavaScript, begins by exploiting Safari bugs to achieve remote code execution. It then proceeds to escape the sandbox and exploit kernel flaws to inject and execute JavaScript code for privilege escalation and final payload execution. The targeted vulnerabilities include CVE-2025-31277, CVE-2025-43529, CVE-2025-14174, CVE-2025-43510, CVE-2025-43520, and CVE-2026-20700.
The exploit chain starts with the exploitation of two WebContent process JIT issues, leading to arbitrary memory read/write primitives. It then targets a Trusted Path Read-Only and Pointer Authentication Codes protections bypass vulnerability, followed by an out-of-bounds write vulnerability in ANGLE, combined with the PAC bypass, to escape Safari’s sandbox via the GPU process.
From the GPU process, the exploit targets the XNU kernel via a copy-on-write bug, providing arbitrary memory read/write primitives in the mediaplaybackd daemon. These primitives are then leveraged to exploit a kernel privilege escalation vulnerability.
Final Payload and Impact
The final payload is an orchestrator for numerous modules that enable the attackers to exfiltrate sensitive information from infected devices. This includes passwords, photos, and Telegram messages, text messages, contacts, call history, browser data, installed applications, Wi-Fi data and passwords, Apple Health data, calendar and notes, information on connected accounts, and cryptocurrency wallets.
Conclusion and Recommendations
Apple has rolled out patches for all the vulnerabilities targeted by both Coruna and DarkSword. However, hundreds of millions of devices may still be exposed to attacks, with an estimated 14.2% of users (approximately 221,520,000 devices) running iOS versions between 18.4 and 18.6.2 believed to be vulnerable. Users are advised to update to iOS versions 26.3.1 and 18.7.6, which include patches for all vulnerabilities in the DarkSword exploit kit.
The discovery of DarkSword highlights the existence of a secondary market for technically sophisticated exploit chains used in stealthy attacks. Watering-hole attacks abusing compromised legitimate websites are essentially zero-click attacks, making social engineering defensive training ineffective.
About Author
English