DarkSword iOS Exploit Chain Used in Watering-Hole Attacks Against Ukrainians
Researchers from Google, iVerify, and Lookout disclosed DarkSword, a sophisticated iPhone exploit chain used in compromised websites to silently infect visitors, with observed targeting focused on Ukraine and additional activity tied to Saudi Arabia, Turkey, and Malaysia. The campaign is linked to suspected Russian operators, including activity tracked as UNC6353, and appears to support both espionage and financial theft, including the theft of saved passwords, text messages, and cryptocurrency wallet data. Reporting also indicates DarkSword is the second major iOS exploit kit recently found in the wild after Coruna, reinforcing concerns that advanced mobile exploitation is becoming more broadly operationalized rather than reserved for narrowly targeted, bespoke use.
Technical analysis shows DarkSword used multiple chained vulnerabilities to achieve full device compromise on older iOS versions, including JavaScriptCore bugs CVE-2025-31277 and CVE-2025-43529 for remote code execution, CVE-2026-20700 as a dyld PAC bypass, and sandbox escapes that pivoted from WebContent to the GPU process and then to mediaplaybackd. The exploit chain relied on first compromising WebKit and then abusing WebGPU/ANGLE-related paths to escape Safari’s sandbox, and Apple patched the flaws across later iOS releases including 18.6, 18.7.3, 26.2, and 26.3. Researchers warned that a substantial installed base of devices running iOS 18 or earlier remained exposed at the time of disclosure, making DarkSword notable both for its technical sophistication and for the scale of potentially vulnerable iPhones.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
11 events from the most recent confirmed update back to the earliest known activity.
Apple releases iOS 18.7.7 and iPadOS 18.7.7 for DarkSword
On 2026-04-01, Apple issued iOS 18.7.7 and iPadOS 18.7.7 to protect older devices that had not upgraded to iOS 26 from the DarkSword exploit chain. Apple said devices already running iOS 26 were protected and expanded the iOS 18 fix so more legacy devices could receive it automatically.
Working DarkSword exploit kit leaks on GitHub
By 2026-03-24, researchers warned that a functional DarkSword exploit kit had been leaked on GitHub. The leak was described as an escalation that could let lower-skilled attackers launch DarkSword attacks at scale against still-vulnerable iPhones and iPads.
CISA orders federal agencies to patch DarkSword iOS flaws
On 2026-03-23, CISA added three DarkSword-linked iOS vulnerabilities to its Known Exploited Vulnerabilities catalog and ordered Federal Civilian Executive Branch agencies to remediate them by 2026-04-03 under Binding Operational Directive 22-01. The directive followed public reporting that the flaws were actively exploited in DarkSword attacks.
Researchers publicly disclose DarkSword and technical analysis
On March 18, 2026, Google, Lookout, and iVerify publicly disclosed DarkSword, describing a full-chain Safari-based iOS exploit and associated malware families GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER. Their reports detailed the six-vulnerability chain, links to Coruna-related infrastructure, and attribution to multiple threat actors including UNC6353.
Google adds DarkSword delivery domains to Safe Browsing
After identifying the campaign infrastructure, Google added DarkSword delivery domains to Safe Browsing to help block access to malicious exploit sites. This was part of the defensive response alongside vulnerability disclosure to Apple.
Apple issues March 11 iOS 15 and 16 updates against Coruna and DarkSword
On 2026-03-11, Apple released security updates for supported iOS 15 and 16 devices and warned users that outdated iPhones remained vulnerable to the Coruna and DarkSword exploit kits. Apple said fully updated supported devices are protected and that Lockdown Mode can block these attacks even on older systems.
Apple rolls out patches for DarkSword exploit chain
Apple patched the vulnerabilities used by DarkSword across a series of iOS updates released from late 2025 through February 2026, with complete remediation available by iOS 26.3 and corresponding iOS 18 security updates. The fixes covered the six-flaw chain used for remote code execution, sandbox escape, PAC bypass, and kernel compromise.
DarkSword observed in campaigns beyond Ukraine
Researchers observed DarkSword used by multiple actors against targets in Saudi Arabia, Turkey, and Malaysia in addition to Ukraine. Reported operators included UNC6748 and customers of Turkish surveillance vendor PARS Defense.
UNC6353 starts DarkSword watering-hole attacks on Ukrainians
Beginning in December 2025, suspected Russian-linked actor UNC6353 used compromised Ukrainian websites to deliver DarkSword to visitors, selectively targeting Ukrainian users. The campaign focused on rapid data theft from iPhones rather than persistent surveillance.
Google reports DarkSword vulnerabilities to Apple
Google Threat Intelligence Group said it reported the vulnerabilities used in DarkSword to Apple in late 2025. This disclosure started Apple's remediation process for the exploit chain.
DarkSword exploitation begins against vulnerable iPhones
Researchers said the DarkSword iOS exploit kit has been used since at least November 2025 against iPhones running affected iOS 18 versions. The framework was used by multiple actors and enabled rapid theft of sensitive data, including credentials and cryptocurrency wallet information.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
50 references tracked. Mallory keeps watching after this page renders.
You Need to Download This iOS 18 Update ASAP if You Aren't on iOS 26 - CNET
cnet.com
Open sourceApple Breaks Precedent, Patches DarkSword for iOS 18
darkreading.com
Open sourceApple backports security for Liquid Glass haters - Boing Boing
boingboing.net
Open sourceApple expands updates to iOS 18 devices affected by DarkSword exploit | news | SC Media
scworld.com
Open sourceDarkSword, la herramienta que puede hackear cientos de millones de iPhones con s�lo visitar una web | Tecnolog�a
elmundo.es
Open sourceRussia-linked hackers use advanced iPhone exploit to target Ukrainians | The Record from Recorded Future News
therecord.media
Open sourceInside DarkSword: A New iOS Exploit Kit Delivered Via Compromised Legitimate Websites
iverify.io
Open sourceAttackers Wielding DarkSword Threaten iOS Users | Threat Intel
lookout.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
DarkSword iPhone Exploit Chain Drives Mass Hacking Risk and Emergency Apple Patches
Security researchers and media reports say the **DarkSword** iOS exploitation tool has moved from a targeted threat to a broader operational risk, with evidence that attackers can compromise hundreds of millions of iPhones and that exploit code has leaked publicly. Reporting from WIRED, Lookout, iVerify, and AppleInsider describes DarkSword as a powerful **zero-click** attack capability seen in the wild, raising concern that well-resourced espionage-style techniques are becoming more accessible to additional threat actors. Apple responded by issuing and then expanding protections, including rare **backported patches** for older supported devices to shield users who had not yet moved to newer iOS releases. iVerify said its investigations uncovered signs of zero-click mobile exploitation in the United States and warned that mass iOS attacks now represent a serious enterprise risk, while public reporting stressed that organizations and consumers should update affected iPhones immediately as leaked exploit code increases the likelihood of wider abuse.
May 25, 2026
TA446 Uses DarkSword iOS Exploit Kit to Target iPhone Users
Proofpoint and other researchers said the Russia-linked threat group **TA446**—also tracked as **Callisto**, **COLDRIVER**, **SEABORGIUM**, and **Star Blizzard**—used the leaked **DarkSword** iOS exploit kit in a targeted spear-phishing campaign aimed at compromising iPhone users. On March 26, the actor sent spoofed Atlantic Council "discussion invitation" emails from compromised accounts, redirecting selected recipients to DarkSword infrastructure that delivered the **GHOSTBLADE** dataminer, while non-iPhone users were reportedly shown a benign PDF decoy. Researchers said this is the first observed case of TA446 targeting Apple devices and **iCloud**-related access. The campaign was linked to TA446 through infrastructure overlaps, including VirusTotal samples referencing a TA446 second-stage domain and URLScan evidence showing a TA446-controlled domain serving DarkSword components. The operation also appeared broader than the group’s typical espionage activity, with targeting spanning government, think tanks, higher education, financial, and legal organizations. Apple separately warned users running older **iOS** and **iPadOS** versions to update because of active web-based attacks, while researchers cautioned that the leaked GitHub version of DarkSword could reduce the barrier to entry for advanced iPhone exploitation and help turn a nation-state capability into more widely available malware.
Apr 1, 2026
Coruna iPhone Exploit Kit Linked to Russian Espionage and Criminal Use
Researchers reported that the **Coruna** iOS exploitation framework contains full exploit chains and roughly **23 exploits** targeting iPhones running **iOS 13 through 17.2/17.2.1**, and that it has been used by multiple threat actors, including **UNC6353**, a suspected Russian espionage group conducting watering-hole attacks against Ukrainian users, and **UNC6691**, a financially motivated China-based actor. The toolkit, also referred to as **CryptoWaters**, has been described as a rare case of **nation-state-grade iPhone exploitation** appearing in broader criminal operations, with post-exploitation activity including the **PLASMAGRID** payload and persistence through a process identified as `com.apple.assistd` that injects into the `powerd` daemon running as root. Reporting also highlighted competing views on the toolkit's origin. One account said evidence suggests parts of Coruna may have originated from **Trenchant**, a hacking and surveillance division of **L3Harris**, and later leaked into the wider ecosystem, ultimately reaching foreign intelligence services and cybercriminals. However, technical threat research noted that the **definitive origin remains unconfirmed**, even as analysts observed reuse of vulnerabilities associated with **Operation Triangulation** and CISA added **`CVE-2023-41974`** to the **Known Exploited Vulnerabilities** catalog after Google's publication. The story is substantive threat intelligence, not fluff, because it concerns an active exploit framework, real-world exploitation, and possible proliferation of advanced offensive capabilities.
Mar 27, 2026