DarkSword: iPhone Exploit Kit Serves Spies & Thieves Alike

A sophisticated iOS exploit chain called DarkSword leverages six zero-day and n-day vulnerabilities to fully compromise iPhones running iOS 18.4–18.7 in a single click. Discovered by Google GTIG, iVerify, and Lookout, it has been used since at least November 2025 by commercial surveillance vendors and suspected state-sponsored actors targeting users in Saudi Arabia, Turkey, Malaysia, and Ukraine. Unusually, DarkSword serves both espionage and financially motivated attackers, including cryptocurrency wallet theft. Three malware families (Ghostblade, Ghostknife, Ghostsaber) are deployed depending on the campaign. A suspected Russian group (UNC6353) used it in watering hole attacks against Ukrainian users, with evidence suggesting LLMs aided implant code creation. Poor operational security led to the chain's discovery. Apple has patched all vulnerabilities in iOS 18.7.6 and iOS 26.3.1, but iVerify estimates over 200 million users remain unpatched.