DarkSword: The Sophisticated iOS Exploit Targeting iPhone Users’ Personal Data
A newly identified iOS exploit kit, known as DarkSword, has been actively utilized by various commercial surveillance vendors and state-sponsored threat actors since at least November 2025. This advanced exploit chain targets iPhone users across multiple countries, including Saudi Arabia, Turkey, Malaysia, and Ukraine, aiming to steal sensitive personal data.
Overview of DarkSword Exploit Chain
DarkSword is a comprehensive exploit chain that combines six distinct vulnerabilities, four of which were zero-day exploits at the time of their discovery. This chain enables attackers to achieve full device compromise on iPhones running iOS versions 18.4 through 18.7. Notably, the exploit operates entirely within JavaScript, allowing it to bypass Apple’s Page Protection Layer (PPL) and Secure Page Table Monitor (SPTM) mitigations. These security features are designed to prevent the execution of unsigned native binary code, but DarkSword circumvents them effectively.
Detailed Breakdown of the Exploit Chain
The DarkSword exploit chain progresses through several stages, each targeting specific components of the iOS system:
1. Remote Code Execution (RCE) in JavaScriptCore: The initial stage exploits vulnerabilities in JavaScriptCore, Apple’s JavaScript engine used in Safari and WebKit. This allows attackers to execute arbitrary code remotely.
2. Sandbox Escapes: Following the RCE, the exploit chain includes two stages that escape the application sandbox, granting the attacker broader access to the system.
3. Local Privilege Escalation: This stage elevates the attacker’s privileges within the device, moving from user-level access to higher system-level permissions.
4. Kernel-Level Compromise: The final stage involves deploying a payload that provides full kernel-level privileges, effectively giving the attacker complete control over the device.
Specific Vulnerabilities Exploited
The DarkSword exploit chain leverages the following vulnerabilities:
– CVE-2025-31277: A Just-In-Time (JIT) optimization and type confusion issue in JavaScriptCore, allowing for remote code execution.
– CVE-2025-43529: A use-after-free vulnerability in the DFG JIT layer of JavaScriptCore, also facilitating remote code execution.
– CVE-2026-20700: A Pointer Authentication Code (PAC) bypass in Apple’s dynamic linker (`dyld`), enabling attackers to circumvent security measures.
– CVE-2025-14174: An out-of-bounds memory access issue in WebGL operations within the ANGLE component, used for sandbox escape.
– CVE-2025-43510: A memory management flaw in the XNU kernel, exploited for further sandbox escape.
– CVE-2025-43520: A race condition in the Virtual Filesystem (VFS) implementation of the XNU kernel, used for local privilege escalation.
Post-Exploitation Malware Families
Upon successful exploitation, DarkSword deploys various malware families tailored to the specific objectives of the threat actors:
– GHOSTKNIFE: Utilized by threat cluster UNC6748, this JavaScript backdoor exfiltrates signed-in accounts, messages, browser data, location history, and audio recordings. It communicates with its command-and-control (C2) server using encrypted protocols and actively deletes crash logs to evade detection.
– GHOSTSABER: Deployed by Turkish surveillance vendor PARS Defense, this malware supports over 15 C2 commands, including device enumeration, file exfiltration, and execution of arbitrary SQLite queries. Some commands, such as audio recording and real-time geolocation, suggest the potential for additional binary modules downloaded at runtime.
– GHOSTBLADE: Attributed to suspected Russian espionage actor UNC6353, this comprehensive data miner exfiltrates iMessages, Telegram and WhatsApp data, cryptocurrency wallet information, Safari history and cookies, Health databases, device keychains, location history, and saved Wi-Fi passwords.
Implications and Recommendations
The deployment of DarkSword underscores the evolving sophistication of cyber threats targeting iOS devices. The ability to chain multiple vulnerabilities, including zero-days, to achieve full device compromise highlights the need for continuous vigilance and prompt patching.
Recommendations for Users:
– Update Devices Promptly: Ensure that your iOS devices are updated to the latest version, as Apple has released patches addressing these vulnerabilities.
– Be Cautious with Links and Attachments: Avoid clicking on suspicious links or opening unknown attachments, as these can be vectors for exploitation.
– Monitor for Unusual Activity: Stay alert to any unusual behavior on your device, such as unexpected crashes or unfamiliar applications.
Recommendations for Organizations:
– Implement Security Training: Educate employees about the risks of phishing and other social engineering attacks that can lead to exploitation.
– Deploy Endpoint Protection: Utilize endpoint detection and response solutions to identify and mitigate potential threats.
– Conduct Regular Security Audits: Regularly assess your organization’s security posture to identify and address vulnerabilities proactively.
By understanding the mechanisms and implications of the DarkSword exploit, users and organizations can take informed steps to protect their devices and sensitive information from such sophisticated cyber threats.
