PARS Defense
PARS Defense is identified in the provided content as a Turkish commercial surveillance vendor. Google Threat Intelligence Group linked PARS Defense to DarkSword exploitation activity in Turkey in late November 2025, and later observed DarkSword used in Malaysia by another PARS Defense customer. In these campaigns, PARS Defense deployed the GHOSTSABER backdoor. The content states that GHOSTSABER supports more than 15 command-and-control commands, including device enumeration, file exfiltration, arbitrary SQLite query execution, and photo thumbnail uploads; some capabilities such as audio recording and real-time geolocation appear to rely on follow-on binary modules downloaded at runtime. The Turkey campaign was described as having stronger operational security than UNC6748 activity, including obfuscation of the exploit loader and stages and use of ECDH and AES to encrypt exploits between the server and victim. The activity targeted devices running iOS 18.4 through 18.7 via the DarkSword exploit chain. No additional aliases or sub-groups beyond "pars_defense" / "PARS Defense" are directly provided in the content.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Where they target
Geographies tied to known operations.
- 🇹🇷 Türkiye
Tradecraft
16 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
3 malware families attributed to this actor across reporting.
Associated vulnerabilities
6 CVEs this actor has used in observed campaigns. 6 of them exploited in the wild.
CVE-2025-14174 sbox0_main_18.4.js , sbx0_main.js Out-of-bounds memory access in WebGL operation ANGLE (GPU process / WebKit) Yes iOS 18.7.3, 26.2
CVE-2025-31277 rce_module.js JIT optimization / type confusion JavaScriptCore (WebKit) No iOS 18.6
CVE-2025-43510 sbx1_main.js Memory management / copy-on-write bug XNU Kernel No iOS 18.7.2, 26.1
CVE-2025-43520 pe_main.js Kernel-mode race condition in VFS implementation XNU Kernel (Virtual Filesystem) No iOS 18.7.2, 26.1
CVE-2025-43529 rce_worker_18.6.js , rce_worker_18.7.js Use-after-free / garbage collection bug in DFG JIT layer JavaScriptCore (WebKit) Yes iOS 18.7.3, 26.2
1 more CVE tied to this actor tracked in Mallory.
Observables
1 indicator attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A Turkish commercial surveillance vendor using the DarkSword iOS exploit chain to deploy GHOSTSABER in surveillance campaigns targeting victims in Turkey and Malaysia.
Turkish commercial surveillance vendor associated with DarkSword activity in Turkey and Malaysia, using the exploit kit with stronger OPSEC and delivering the GHOSTSABER backdoor.
Observed leveraging the DarkSword iOS exploit chain in a campaign in Turkey.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.