DarkSword Malware
Source: Schneier on Security
Overview
DarkSword is a sophisticated piece of malware—probably government‑designed—that targets iOS.
Exploit Chain
Google Threat Intelligence Group (GTIG) has identified a new iOS full‑chain exploit that leveraged multiple zero‑day vulnerabilities to fully compromise devices. Based on toolmarks in recovered payloads, the exploit chain is called DarkSword. It supports iOS versions 18.4 through 18.7 and utilizes six different vulnerabilities to deploy final‑stage payloads.
Malware Families
GTIG has identified three distinct malware families deployed after a successful DarkSword compromise:
- GHOSTBLADE
- GHOSTKNIFE
- GHOSTSABER
The proliferation of this single exploit chain across disparate threat actors mirrors the previously discovered Coruna iOS exploit kit. Notably, UNC6353, a suspected Russian espionage group previously observed using Coruna, has recently incorporated DarkSword into their watering‑hole campaigns.
Campaigns and Actors
Since at least November 2025, GTIG has observed multiple commercial surveillance vendors and suspected state‑sponsored actors utilizing DarkSword in distinct campaigns. These actors have deployed the exploit chain against targets in Saudi Arabia, Turkey, Malaysia, and Ukraine.
Leak and Public Availability
A week after it was identified, a version of DarkSword was leaked onto the internet, where it is being used more broadly.
Mitigation
This news is a month old. Your devices are safe, assuming you patch regularly.