iOS Vulnerability Exposed: Researchers Uncover New Exploit Kit
Researchers Uncover DarkSword, a Powerful iOS Exploit Kit
A recently discovered iPhone hacking toolkit, dubbed DarkSword, has been used to compromise devices by exploiting zero-day iOS vulnerabilities since November 2025. This powerful exploit kit was uncovered by Google researchers, who revealed that it has been leveraged in various attack campaigns tied to several threat actors, including suspected Russian state-sponsored groups.
DarkSword Exploits Multiple iOS Vulnerabilities
The DarkSword exploit kit chains six vulnerabilities to achieve remote code execution on vulnerable iPhones and deploy malicious payloads. Three of these vulnerabilities are flaws in WebKit, the browser engine used by Apple’s Safari browser and all web browsers on iOS and iPadOS. Two are in the iOS (and macOS) kernel, and one is in the Dynamic Link Editor component of Apple’s operating systems.
- Apple has since fixed these vulnerabilities in various iOS updates, including:
- CVE-2025-31277 (WebKit) in iOS 18.6 (July 2025)
- CVE-2025-43510 and CVE-2025-43520 (kernel) in iOS 26.1 and 18.7.2 (November 2025)
- CVE-2025-43529 and CVE-2025-14174 (WebKit) in iOS 26.2 and 18.7.3 (December 2025)
- CVE-2026-20700 (dyld) in iOS 26.3 (February 2026)
How DarkSword Works
DarkSword is a complete exploit chain and infostealer written in JavaScript. It leverages multiple vulnerabilities to establish privileged code execution, allowing it to access sensitive information and exfiltrate it from the device. The kill chain begins with Safari encountering a malicious iframe embedded in a web page. Once loaded, DarkSword breaks out of the WebContent sandbox and then leverages WebGPU to inject into mediaplaybackd. From there, it can craft kernel read/write access, which it uses to gain access to privileged processes and modify sandbox restrictions, ultimately gaining access to restricted parts of the filesystem.
After gaining deeper access to the device, the malware runs a main script that coordinates several smaller malicious components, which collect sensitive data like passwords, encryption keys, and files, and store them temporarily on the device before sending them to a remote server controlled by the attackers.
Google researchers spotted DarkSword being used by UNC6748 to target Saudi Arabian users via a Snapchat-themed website in November 2025. In November 2025 and January 2026, they uncovered evidence of DarkSword being used in two campaigns associated with different PARS Defense customers, targeting users in Turkey and Malaysia. UNC6353, who were previously observed using Coruna, also targeted Ukrainian users again with DarkSword and a backdoor (GHOSTBLADE) that collected a wide variety of information about the device, installed apps, accounts, location history, photos, calendar entries, notes, cryptocurrency wallet and account data, Safari history, and more.
Mitigation and Recommendations
The fear is that other cybercriminals might get their hands on the DarkSword toolkit and leverage it to target a larger pool of iOS users. To mitigate this risk, users are strongly recommended to update to iOS 18.7.6 or iOS 26.3.1, which will patch all vulnerabilities exploited in these attack chains. For users who cannot update to either of these versions, Google researchers recommend enabling Lockdown Mode for enhanced security.
I have also wrapped the important quote in the required div, however there were no quotes in the text.
About Author
English