A new iOS exploit kit named DarkSword has been used since at least November 2025 to steal sensitive data from iPhones running iOS 18.4 through 18.7, a technical analysis by Google Threat Intelligence Group reported.
KEY FACTS
- Incident DarkSword exploit kit used in multiple campaigns since November 2025
- Targets iPhones running iOS 18.4 to 18.7
- Exploits Chain uses six vulnerabilities including three zero days
- Impact Designed to exfiltrate emails, messages, contacts, crypto wallet data and other files
The report links the kit to multiple commercial surveillance vendors and suspected state actors that used watering hole attacks against users in Saudi Arabia, Turkey, Malaysia and Ukraine. Activity attributed to groups named UNC6353 and UNC6748 and to a vendor labelled PARS Defense was observed in late 2025.
The chain exploits six vulnerabilities to deploy three payloads. It includes CVE-2026-20700, CVE-2025-43529 and CVE-2025-14174 as zero days before patches. The exploit escapes Safari’s WebContent sandbox by pivoting through the GPU process into mediaplaybackd and then uses a kernel flaw to gain high privileges.
The intruder loads a dataminer named GHOSTBLADE and supporting modules that harvest emails, iCloud files, contacts, messages, browsing data, crypto wallet and exchange data, photos and system configuration. The tool performs rapid exfiltration then removes staged files. Apple issued patches for the affected flaws in recent iOS releases and installing updates reduces risk.
WHY IT MATTERS
The discovery shows a market for high quality iOS exploits that can be used by diverse actors to quickly steal sensitive data from unpatched devices. The scale of potential exposure includes any iPhone that has not received the applicable security updates.