Skip to main content
Mallory
Back to threat actors
1 malware familyExploits CVEs in the wild

DarkSword

Also known asDarkSword

DarkSword is a threat actor observed by GTIG exploiting a multi-stage iOS Safari exploit chain. GTIG observed DarkSword using two JavaScriptCore vulnerabilities for initial remote code execution depending on iOS version: CVE-2025-31277 against iOS versions prior to 18.6 and CVE-2025-43529 against iOS 18.6 through 18.7. Both exploit paths were directly chained with CVE-2026-20700 in dyld to bypass user-mode Pointer Authentication Codes and execute arbitrary code. DarkSword then used two sandbox escapes: CVE-2025-14174 in ANGLE to pivot from Safari’s WebContent sandbox into the GPU process, and CVE-2025-43510 in XNU to pivot from the GPU process into mediaplaybackd. In the final stage, DarkSword used CVE-2025-43520, a kernel race condition in XNU’s virtual filesystem implementation, to obtain physical and virtual memory read/write primitives for post-exploitation. GTIG assessed that a GHOSTBLADE sample was likely developed by DarkSword based on artifacts indicating a post-exploitation library structure. The sample also contained a reference to an unimplemented function named startSandworm(). No additional aliases or sub-groups were provided in the content.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

  • Capital Goods
MITRE ATT&CK

Tradecraft

8 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

4 of 15 tactics10 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0001
Initial Access
1 technique
T1189
Drive-by Compromise
TA0002
Execution
3 techniques
T1059
Command and Scripting Interpreter
T1059.007
JavaScript
T1203×2
Exploitation for Client Execution
T1574
Hijack Execution Flow
TA0004
Privilege Escalation
2 techniques
T1068×2
Exploitation for Privilege Escalation
T1611×2
Escape to Host
TA0005
Stealth
3 techniques
T1211
Exploitation for Stealth
T1574
Hijack Execution Flow
T1620
Reflective Code Loading
ARSENAL

Associated malware families

1 malware family attributed to this actor across reporting.

FamilyContextEvidenceLast seen
GHOSTBLADEArtifacts left behind from the Webpack process applied to the analyzed GHOSTBLADE sample included file paths that show the structure on disk of these libraries (Figure 22). We assess that GHOSTBLADE was likely developed by the DarkSword developers, based on the consistency in coding styles and the tight integration between it and the library code, which is notably distinct from how GHOSTKNIFE and GHOSTSABER leveraged these libraries.1Mar 18, 2026
WEAPONIZED

Associated vulnerabilities

6 CVEs this actor has used in observed campaigns. 6 of them exploited in the wild.

CVE-2025-14174Out-of-bounds memory access in ANGLE in Google Chrome on MacIn the wildEvidence1

This exploit leverages CVE-2025-14174, a vulnerability in ANGLE where parameters were not sufficiently validated in a specific WebGL operation, leading to out-of-bounds memory operations in Safari's GPU process which the DarkSword developers use to execute arbitrary code within the GPU process.

CVE-2025-31277Memory corruption in Apple WebKit/JavaScriptCore web content processingIn the wildEvidence1

For devices running versions of iOS prior to 18.6, DarkSword uses CVE-2025-31277, a JIT optimization/type confusion bug which was patched by Apple in iOS 18.6.

CVE-2025-43510Improper locking copy-on-write memory corruption in Apple XNU kernelIn the wildEvidence1

DarkSword uses another sandbox escape exploit, sbx1_main.js, which leverages CVE-2025-43510, a memory management vulnerability in XNU. This is a copy-on-write bug which is exploited to build arbitrary function call primitives in mediaplaybackd.

CVE-2025-43520Apple XNU VFS kernel race condition privilege escalationIn the wildEvidence1

This uses CVE-2025-43520, a kernel-mode race condition in XNU's virtual filesystem (VFS) implementation, which can be exploited to build physical and virtual memory read/write primitives.

CVE-2025-43529Use-after-free in Apple JavaScriptCore/WebKit leading to arbitrary code executionIn the wildEvidence1

For devices running iOS 18.6-18.7, DarkSword uses CVE-2025-43529, a garbage collection bug in the Data Flow Graph (DFG) JIT layer of JavaScriptCore which was patched by Apple in iOS 18.7.3 and 26.2 after it was reported by GTIG.

1 more CVE tied to this actor tracked in Mallory.

ACTIVITY FEED

Recent activity

1 sources tracked across advisories and community write-ups. News coverage will land here when it surfaces.

1 SOURCESView more in app

No news coverage yet. Advisories and community discussion only.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping8

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal1

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs6

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.