A newly identified iOS vulnerability chain is currently being utilized by threat actors globally, demonstrating capabilities designed for both intelligence-gathering and financially motivated objectives.
Google, iVerify, and Lookout recently published coordinated research regarding "DarkSword," a vulnerability chain affecting iPhones running iOS versions 18.4 through 18.7. Google's Threat Intelligence Group (GTIG) referred to the methodology in a technical publication as a "full-chain exploit that leveraged multiple zero-day vulnerabilities to fully compromise devices." Since at least November 2025, the chain has been deployed by multiple commercial surveillance vendors and suspected state-sponsored threat actors against targets in Saudi Arabia, Turkey, Malaysia, and Ukraine.
GTIG analysis shows the deployment sequence utilizes several distinct vulnerabilities to deliver three primary malware families, tracked as Ghostblade, Ghostknife, and Ghostsaber. This discovery follows the recent disclosure of "Coruna," a parallel campaign in which a financially motivated group repurposed commercial surveillance tools to target iOS devices at scale.
The vulnerability chain incorporates the following specific flaws:
- JavaScriptCore memory corruption (CVE-2025-31277 and CVE-2025-43529)
- dyld user-mode pointer authentication code bypass (CVE-2026-20700)
- ANGLE memory corruption (CVE-2025-14174)
- iOS kernel memory management flaw (CVE-2025-43510)
- iOS kernel memory corruption (CVE-2025-43520)
At different stages of execution, these vulnerabilities support remote code execution (RCE), sandbox escape, and privilege escalation, culminating in malware delivery.
During a DarkSword intrusion, an affected iPhone user visits an unauthorized website. In a single click, the complete chain executes to compromise the device, establish kernel privileges, and exfiltrate sensitive data. The malware collects data rapidly—typically within seconds to minutes—before initiating a cleanup sequence to remove itself from the device.
A notable characteristic of DarkSword is its application across different threat profiles. Lookout's research indicates that DarkSword's data collection capabilities specifically target cryptocurrency wallets. "This dual-use approach is an important insight into the threat actor's motives and indicates that they (or possibly a previous user of DarkSword who then passed it on to them) are operating with a motive of monetary gain," the researchers noted.
Pete Luban, field chief information security officer at AttackIQ, observes that there is historical precedent for this behavior; once a sophisticated capability is exposed, it is often repurposed by groups seeking financial return. The formal integration of these dual-use cases into the malware's core process, however, represents a notable shift.
"Defenders need to treat mobile zero-days like enterprise-grade intrusion paths, which includes validating controls continuously and not assuming an intrusion will stay inside the box it's labeled with," Luban states. "'Financial' and 'espionage' are convenient categories, but the same access and tooling can enable both outcomes in the same campaign."
Campaign distribution and threat actor profiles
Google documented a campaign from November 2025 that targeted Saudi Arabian users through a deceptive website masquerading as a secure Snapchat messaging service. Concurrently, GTIG identified DarkSword infrastructure active in Turkey, linking the activity to Turkish surveillance vendor PARS Defense. Another customer of PARS Defense utilized DarkSword to target Malaysian users in January.
Security teams are also tracking UNC6353, a suspected Russian intelligence-gathering group that previously utilized the Coruna chain. This group deployed DarkSword in watering hole campaigns targeting Ukrainian users. Lookout's analysis revealed that despite the actor's intelligence focus, the deployment lacked obfuscation attempts. The researchers also noted that an "analysis of patterns suggests that LLMs were used in the creation of at least some of the implant code."
This lack of operational security (OPSEC) might suggest either limited technical sophistication or, as Lookout hypothesizes, that the code was added before the threat actor acquired the tooling. iVerify's analysis corroborated this, noting that both Coruna and DarkSword were discovered largely due to significant OPSEC failures and careless deployment of offensive iOS capabilities.
Rocky Cole, iVerify's co-founder and chief operating officer, describes this level of operational security as highly unusual for the current threat environment.
"Sometimes you see nation-states use poor OPSEC when they are using low-value tools because they don't want to burn the fancy, highly secretive [command and control]," Cole explains. "And OPSEC slows you down. So sometimes when they want to move quickly, they'll use lower value tools with lower levels of opsec. That could be what's happening here given these were largely n-days."
Remediation and long-term mobile security
Apple has addressed all vulnerabilities utilized in the DarkSword chain through software updates. To protect devices and corporate environments, security teams should ensure all iPhone users update to iOS 18.7.6 or iOS 26.3.1. Additionally, users facing an elevated risk profile should evaluate whether Apple's Lockdown Mode is an appropriate configuration for their security needs.
Despite the availability of patches, iVerify estimates that over 200 million users may still run vulnerable iOS versions. Matthias Frielingsdorf, co-founder and VP of research at iVerify, notes that delayed update cycles sustain the market for these capabilities.
"Many people are still not adhering to security hygiene best practices, including keeping devices updated with the latest OS," Frielingsdorf says. "The share of users running legacy is large enough for threat actors to target and support a thriving secondary market for n-day exploits. We predicted this exact scenario for some time and unfortunately, it's coming to pass."