Quick Read
- Google’s Threat Intelligence Group has identified the DarkSword exploit chain, targeting older iOS versions.
- The exploit leverages malicious web content to compromise iPhones, potentially stealing sensitive data.
- Apple has released security updates to address the vulnerabilities, urging users to update their devices.
MOUNTAIN VIEW, California (Azat TV) – Google’s Threat Intelligence Group (GTIG) has disclosed a sophisticated iOS exploit chain, dubbed DarkSword, that has been actively used since late 2025 to compromise iPhones running older versions of the operating system. The attack leverages malicious web content to deliver exploits, potentially stealing sensitive data from affected devices.
DarkSword Exploits Vulnerabilities in Older iOS Versions
The DarkSword exploit chain chains together multiple vulnerabilities, including flaws in Apple’s WebKit browser engine, the iOS kernel, and the Dynamic Link Editor. It is designed to bypass security protections, escape the browser sandbox, and gain kernel-level access to deploy malicious payloads. According to GTIG, DarkSword has been observed targeting iPhones running iOS versions from 18.4 to 18.7, with configuration data specifically tuned for these builds. The exploit chain was identified by mobile security company Lookout, which linked it to previously known malicious infrastructure.
Widespread Use and Targeted Attacks
Google’s analysis indicates that DarkSword has been deployed by various threat actors, including commercial surveillance vendors and suspected state-sponsored groups. These actors have used the exploit chain in targeted campaigns against individuals in Ukraine, Saudi Arabia, Turkey, and Malaysia. Watering hole attacks, where attackers compromise websites likely to be visited by specific groups, have been a primary delivery method. Unlike traditional long-term spyware, DarkSword’s dwell time on a device is believed to be very short, measured in minutes rather than days or weeks.
Apple’s Response and User Recommendations
Apple has acknowledged the vulnerabilities and released security updates to address the issues exploited by DarkSword and a related exploit kit, Coruna. Official advisories from Apple and regulatory bodies like the Malaysian Communications and Multimedia Commission (MCMC) strongly urge iPhone users to update their devices to the latest available iOS version. Apple has patched the underlying bugs in stages across various iOS releases, including iOS 18.6, 18.7.2, 18.7.3, 26.1, 26.2, and 26.3. For devices unable to update to the latest versions, Apple recommends enabling Lockdown Mode, which provides advanced protection against such threats.
Payloads and Data Exfiltration
Once DarkSword achieves kernel-level compromise, it can deploy various payloads. One such payload, GHOSTBLADE, is capable of extracting cryptocurrency wallet data, credentials, and other sensitive information from compromised iPhones. The exploit chain’s sophistication lies in its ability to chain multiple zero-day and known vulnerabilities, allowing attackers to gain full control of the device without further user interaction.
The coordinated disclosure of DarkSword by Google, alongside Apple’s prompt release of security patches, highlights the ongoing cat-and-mouse game between exploit developers and platform security. The active market for zero-day exploits, as demonstrated by the reuse and adaptation of advanced techniques by multiple threat actors, underscores the critical need for continuous vigilance and timely software updates for all users.