Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Introduction
A new iOS exploit kit called DarkSword has been actively stealing personal data from iPhones since at least November 2025. It targets devices running iOS versions 18.4 through 18.7. The attack requires no action from the victim beyond visiting a compromised website. These apple iphone security changes forced Apple to backport patches to iOS 18. This rare move protects millions of users who chose not to upgrade to iOS 26.
This DarkSword exploit deep dive explains how the attack works. You will learn about the six vulnerabilities it exploits, the three malware families it drops, and Apple’s unusual response.
For the full picture of Apple’s 2026 security overhaul, read our main guide: Apple iPhone Security Changes 2026 .
How Researchers Discovered DarkSword
Researchers at Lookout, Google’s Threat Intelligence Group (GTIG) , and iVerify discovered DarkSword in early 2026. They found the exploit while investigating infrastructure linked to the Coruna exploit chain. Several commercial surveillance vendors and suspected state-sponsored threat actors have used DarkSword to target users in Saudi Arabia, Turkey, Malaysia, and Ukraine.
DarkSword became even more dangerous after its leak on GitHub in March 2026. Consequently, any threat actor can now access the exploit, not just sophisticated spyware vendors. For a timeline of Apple’s response to this threat, see our guide on iOS 18.7.7 Backport Explained .
Technical Breakdown – How DarkSword Works
DarkSword is a full-chain iOS exploit written entirely in JavaScript. The attack chain follows these steps:
- Entry point: The victim visits a legitimate-but-compromised website. This is called a watering hole attack.
- Remote code execution: The exploit uses JavaScriptCore vulnerabilities (CVE-2025-31277, CVE-2025-43529) to run malicious code.
- Sandbox escape: It breaks out of Safari’s WebContent sandbox using a WebGL/ANGLE flaw (CVE-2025-14174).
- Privilege escalation: The exploit uses kernel memory flaws (CVE-2025-43510, CVE-2025-43520) to gain kernel-level access.
- PAC bypass: It evades Apple’s Pointer Authentication Code using a dyld vulnerability (CVE-2026-20700).
- Payload deployment: Finally, it installs GhostBlade, GhostKnife, or GhostSaber malware.
The entire chain executes within seconds to minutes. After that, the exploit deletes temporary files to avoid forensic detection.
The Six Vulnerabilities Exploited by DarkSword
| CVE ID | Component | Type | Patched In |
|---|---|---|---|
| CVE-2025-31277 | JavaScriptCore | JIT optimization / type confusion | iOS 18.6 |
| CVE-2025-43529 | JavaScriptCore | Use-after-free in DFG JIT | iOS 18.7.3, 26.2 |
| CVE-2026-20700 | dyld (Dynamic Linker) | PAC bypass / memory corruption | iOS 26.3 |
| CVE-2025-14174 | ANGLE (WebGL) | Out-of-bounds memory access | iOS 18.7.3, 26.2 |
| CVE-2025-43510 | XNU Kernel | Copy-on-write bug | iOS 18.7.2, 26.1 |
| CVE-2025-43520 | XNU Kernel | Race condition in VFS | iOS 18.7.2, 26.1 |
Apple has patched all six vulnerabilities. Devices running iOS 26.3.1 or later are fully protected. For a deeper look at Apple’s response, read our article on iOS 18.7.7 Security Backport .
Malware Families Deployed by DarkSword
GTIG identified three distinct malware families after a successful DarkSword compromise.
1. GhostBlade – This aggressive JavaScript infostealer steals a wide range of data. For example, it can access cryptocurrency wallet credentials (Coinbase, Binance, Ledger). It also steals browser history, photos, location data, iMessage and WhatsApp messages, email, contacts, and call logs.
2. GhostKnife – This JavaScript backdoor can exfiltrate signed-in accounts, messages, browser data, location history, and audio recordings from the device’s microphone. It communicates using ECDH/AES encryption. Moreover, it deletes crash logs to evade detection.
3. GhostSaber – This JavaScript backdoor supports over 15 command-and-control (C2) commands. These include device enumeration, file exfiltration, arbitrary SQLite query execution, and photo thumbnail uploads.
Who Is Behind DarkSword Attacks?
Multiple threat actors have used DarkSword:
- UNC6748 – This group targeted Saudi Arabian users via a fake Snapchat website (snapshare[.]chat).
- PARS Defense – This Turkish commercial surveillance vendor used DarkSword against targets in Turkey and Malaysia.
- UNC6353 – This suspected Russian espionage group deployed DarkSword in watering hole attacks against Ukrainian websites from December 2025 through March 2026.
DarkSword has a dual-use nature. It serves both espionage and financial theft. The malware targets both state secrets and cryptocurrency wallets. Therefore, the exploit kit has been repurposed for monetary gain.
What Data Does DarkSword Steal?
DarkSword focuses on speed and stealth. It can extract:
- Saved passwords and credentials from iOS Keychain
- Cryptocurrency wallet data (Coinbase, Binance, Ledger)
- Photos, call logs, contacts, and location history
- Browsing history and saved browser data
- WhatsApp, Telegram, iMessage, and email communications
- Apple Health data
After exfiltrating the data, the malware deletes temporary files. Then it terminates execution to minimize forensic traces.
Apple’s Response – iOS 18.7.7 Backport
Apple’s typical policy requires users to upgrade to the latest iOS version to receive security patches. However, DarkSword forced a change. Apple took the rare step of backporting fixes to iOS 18.7.7. This makes the update available to a wide range of devices still running iOS 18.
Apple stated in its security changelog: “We enabled the availability of iOS 18.7.7 for more devices on April 1, 2026, so users with Automatic Updates turned on can automatically receive important security protections from web attacks called DarkSword.”
This apple iphone security change marks a significant shift in Apple’s long-standing patching policy. For more on this policy change, see our guide on iOS Update Policy 2026 .
Comparison Table – Vulnerable vs Protected iOS Versions
| iOS Version | DarkSword Vulnerability | Protection Status |
|---|---|---|
| iOS 18.0 – 18.3 | Not affected | ✅ Safe |
| iOS 18.4 – 18.7 (unpatched) | Fully vulnerable | ❌ Update now |
| iOS 18.7.7 | Patched | ✅ Protected |
| iOS 26.0 – 26.3 | Patched | ✅ Protected |
| iOS 26.3.1 | Fully patched | ✅ Protected |
| iOS 15 – 16 | Patched separately (Coruna fixes) | ✅ Protected |
Real‑World Applications of the DarkSword Exploit
- For everyday users: If you have not updated your iPhone in the past few months, your device could become compromised simply by visiting a website.
- For businesses: Employees with unpatched iPhones pose a security risk. DarkSword can steal corporate data and credentials.
- For security researchers: The leak of DarkSword on GitHub has democratized iOS exploit access. Therefore, defenders must assume a broader threat model.
- For Apple: The backporting decision reflects a new reality. Apple can no longer force users to upgrade to the latest OS to receive critical security patches.
FAQ Section
Q1: What is the DarkSword exploit in simple terms?
A: DarkSword is a hacking toolkit that can take over your iPhone just by visiting a malicious website. It works on iPhones running iOS 18.4 through 18.7 and can steal your passwords, photos, messages, and even cryptocurrency wallet data.
Q2: Which iOS versions are vulnerable to DarkSword?
A: iPhones running iOS 18.4 through 18.7 are vulnerable unless they have been updated to iOS 18.7.7 or later. iOS 26 users are already protected. iOS 15–16 users received separate patches.
Q3: How do I know if my iPhone has been hacked by DarkSword?
A: DarkSword is stealthy and deletes its tracks after stealing data. The best way to protect yourself is to update to iOS 18.7.7 or iOS 26.3.1. If you are concerned, enable Lockdown Mode in Settings > Privacy & Security.
Q4: Did Apple fix the DarkSword vulnerabilities?
A: Yes. Apple patched all six vulnerabilities across iOS 18.6, 18.7.2, 18.7.3, 26.1, 26.2, and 26.3. The backported iOS 18.7.7 update brings these fixes to devices still running iOS 18.
Conclusion
The DarkSword exploit represents a new class of iOS threat. It is a full‑chain, JavaScript‑based exploit kit that requires no user interaction beyond visiting a website. Its leak on GitHub democratized access to powerful iPhone hacking tools. Consequently, Apple changed its patching policy. The backported iOS 18.7.7 update protects millions of users who have chosen to stay on iOS 18.
Next step: Learn how Apple expanded its patching policy in response to DarkSword with our guide on iOS 18.7.7 Backport Explained .
