Summary:
The Google Threat Intelligence Group (GTIG) has identified DarkSword, a highly sophisticated iOS full-chain exploit utilizing six vulnerabilities to fully compromise devices running iOS versions 18.4 through 18.7. Active since at least November 2025, the exploit chain has been adopted by multiple distinct threat actors, including commercial surveillance vendors like PARS Defense and suspected state-sponsored groups such as UNC6353 and UNC6748. These actors have successfully deployed DarkSword against targets in Saudi Arabia, Turkey, Malaysia, and Ukraine. The widespread proliferation of this single exploit chain signifies a concerning trend regarding the commoditization of advanced mobile surveillance capabilities. Apple patched all underlying vulnerabilities associated with DarkSword with the release of iOS 26.3.

Security Officer Comments:
GTIG observed DarkSword campaigns beginning in early November 2025. DarkSword leverages six vulnerabilities to bypass sandbox restrictions and achieve full compromise with kernel privileges, with three of them exploited as a zero-day. The threat cluster UNC6748 targeted Saudi Arabian users via a Snapchat-themed decoy website (snapshare[.]chat), utilizing obfuscated JavaScript to load subsequent exploit stages. To avoid reinfection, the actors checked a specific session storage key ("uid") and redirected victims to the legitimate Snapchat website to mask the malicious activity. In late November 2025 and January 2026, PARS Defense utilized DarkSword in Turkey and Malaysia with improved operational security, including encrypted payloads and device fingerprinting. Additionally, UNC6353, a suspected Russian espionage group, incorporated DarkSword into their watering hole campaigns.

The DarkSword infection chain operates in JavaScript, bridging native APIs and IPC channels to execute its payload. This pure JavaScript approach eliminates the need to identify vulnerabilities for bypassing iOS exploit mitigations, such as Page Protection Layer (PPL) or Secure Page Table Monitor (SPTM), which restrict unsigned binary execution. The initial exploit loader manages Web Worker objects for remote code execution exploits, with logic either split across contexts using postMessage or fully contained within the worker itself.

Threat actors employed several notable tactics to ensure operational security and successful exploitation. Attackers utilized the "uid" session storage key to track infections and fingerprint devices. UNC6748 implemented the x-safari-https protocol handler to force the exploit page to open in Safari if a target attempted to access the landing page using Chrome, likely indicating the lack of a Chrome exploit chain. PARS Defense utilized ECDH and AES to encrypt exploits in transit between the server and the victim.

Following a successful exploit, actors deploy one of three distinct JavaScript-based malware families:

• GHOSTKNIFE: Deployed by UNC6748. A backdoor that exfiltrates signed-in accounts, messages, browser data, and audio recordings. It uses a custom binary protocol over HTTP encrypted with ECDH and AES. It writes files to disk under randomly generated UUID directories in /tmp/ and periodically erases system crash logs to avoid detection.
• GHOSTBLADE: Deployed by UNC6353 (suspected Russian espionage group). A dataminer that collects identity tokens, communications databases, cryptocurrency wallet data, and location history. It operates less continuously than GHOSTKNIFE but also actively deletes crash reports, specifically targeting the /…/systemgroup.com.apple.osanalytics/DiagnosticReports/ directory.
• GHOSTSABER: Deployed in PARS Defense (Turkish commercial surveillance vendor) campaigns in Turkey and Malaysia as a final backdoor payload.

Suggested Corrections:
Actionable Suggested Correctionss

• Update all iOS devices to version 26.3 or the latest available version to patch the six vulnerabilities leveraged by the DarkSword chain.
• Enable iOS Lockdown Mode for targeted or high-risk users if immediate device updates are not possible.
• Block access to the known malicious domain snapshare[.]chat at the network perimeter.
• Investigate iOS devices for anomalous directory structures, specifically randomized UUID folders stored within the /tmp/ directory.
• Monitor for the unexpected deletion of crash logs within the CrashReporter and DiagnosticReports system directories.

General Best Practices

• Ensure domains involved in exploit delivery are continually added to and blocked via Safe Browsing integrations.
• Enforce strict Mobile Device Management (MDM) policies to mandate timely OS updates across enterprise environments.
• Educate high-risk users on the dangers of sophisticated watering hole attacks and application-themed decoy websites masquerading as legitimate services.

A list of IOCs is available in the blog post.

Link(s):
https://cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain