Key Highlights
- DarkSword exploits iOS flaws to fully compromise devices, targeting users worldwide.
- Malware families like GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER steal data and monitor activity.
- Visiting a compromised site can trigger full device control without any user action.
A new iOS exploit dubbed DarkSword is actively targeting users worldwide, putting crypto assets and personal data at immediate risk. The attack leverages multiple zero-day vulnerabilities in iOS versions 18.4 through 18.7, delivering full device compromise without any user interaction.
According to Charles Guillemet, CTO at Ledger, DarkSword is “already deployed at scale via watering-hole attacks” and has affected users in Ukraine, Saudi Arabia, Turkey, and Malaysia. One visit to a compromised website can trigger full surveillance, data exfiltration, and total device control. This marks a shift from rare, targeted exploits to industrialized, mass-level attacks.
The CTO also highlighted that this emerges just days after Google’s March 3, 2026 disclosure of Coruna—a leaked nation-state kit exploiting 23 flaws across iOS 13-17.2.1, which compromised thousands through similar web lures.
Google’s Threat Intelligence Group (GTIG) confirmed in a blog post that DarkSword has been around since November 2025 and is being used by commercial surveillance providers and state-sponsored actors.
As per the group, the malware chain makes use of a number of malware families, including GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER.
Each malware variant infiltrates different types of data, ranging from messages and browser history to microphone recordings. Besides, the exploit fully bypasses iOS security layers, including WebContent and GPU sandbox protections.
How DarkSword works
DarkSword takes advantage of six separate weaknesses in iOS to take over a device. It starts by exploiting Safari’s JavaScript engine to run malicious code. Older iPhones are hit through one flaw, while newer versions rely on another, both combined with a method to bypass Apple’s security checks.
This gives attackers deep access to the device’s core system. From there, the exploit breaks out of Safari’s restricted environment and moves into higher-level system processes, letting it run the final malware.
Finally, it escalates privileges to gain full control of the phone. Remarkably, the entire attack runs through JavaScript, so attackers don’t need to install any unsigned apps or files.
Targeted campaigns and malware families
Several groups have been adapting DarkSword for their own attacks. UNC6748 targeted users in Saudi Arabia through fake Snapchat websites, using GHOSTKNIFE to steal accounts and monitor activity. PARS Defense focused on users in Turkey and Malaysia, deploying GHOSTSABER along with encrypted exploits and tools to track devices.
Meanwhile, UNC6353, believed to be linked to Russian espionage, went after Ukrainian websites with GHOSTBLADE, a tool designed to collect data. While GHOSTBLADE doesn’t maintain ongoing access, it still deletes crash logs to hide its presence.
Experts warn that DarkSword marks a new level of iOS threats. Unlike older attacks, it can compromise anyone who visits legitimate websites. Therefore, users should assume their devices could be at risk and exercise extreme caution at all times.
Also Read: Coinbase Commerce Faces Backlash Over ‘Unsafe’ Seed Phrase Tool
