DarkSword is a full-chain iOS exploit kit publicly disclosed in March 2026 by Google's Threat Intelligence Group (GTIG), Lookout, and iVerify. It chains six CVEs across four iOS subsystems — JavaScriptCore, the ANGLE graphics library, the XNU kernel, and the dynamic linker — to achieve complete, silent device compromise through nothing more than a Safari page load.
Three of the six vulnerabilities were exploited as zero-days before Apple shipped patches. The kit was actively deployed in real campaigns starting as early as November 2025, with confirmed targets in Saudi Arabia, Turkey, Malaysia, and Ukraine — before the broader security community was aware it existed.
| CVE | Component | Class | Patched |
|---|---|---|---|
| CVE-2025-31277 | JavaScriptCore (JIT) | Type confusion / memory corruption | iOS 18.6 |
| CVE-2025-43529 0-day | JavaScriptCore (GC) | Use-after-free | iOS 18.7.3 / 26.2 |
| CVE-2025-14174 0-day | ANGLE (graphics) | Out-of-bounds write | iOS 18.7.3 / 26.2 |
| CVE-2025-43510 0-day | Kernel (AppleM2ScalerCSCDriver) | Copy-on-write flaw | iOS 18.7.2 / 26.1 |
| CVE-2025-43520 | Kernel (XNU) | Memory corruption / privesc | iOS 18.7.2 / 26.1 |
| CVE-2026-20700 | dyld (dynamic linker) | PAC bypass | iOS 26.3 |
Affected devices: any iPhone running iOS 18.4 through 18.7 without incremental patches applied, and any device on iOS 26.0–26.2 before the final PAC bypass was patched in 26.3.
DarkSword is a drive-by attack — no phishing link to click, no app to install, no prompt to accept. Visiting a compromised legitimate website in Safari is sufficient. Here's how each stage works.
No phishing link, no app install, no user prompt. A single page load is all it takes.
-
01Watering hole delivery
Attackers compromise legitimate, trusted websites — confirmed examples include a Ukrainian news outlet and a government portal — and inject a hidden
<iframe>that silently loads the exploit kit's JavaScript loader from attacker-controlled infrastructure. When a victim visits the compromised page in Safari, the loader fingerprints the device's iOS version and selects the matching exploit path. Zero user interaction is required. -
02Remote code execution in the WebContent process
The kit exploits one of two JavaScriptCore bugs depending on the iOS version — a JIT type confusion bug (18.4–18.5) or a garbage collector use-after-free (18.6–18.7). Both yield an arbitrary memory read/write primitive within Safari's sandboxed WebContent renderer. CVE-2026-20700 (a Pointer Authentication Code bypass in the dynamic linker) is then chained to convert that memory primitive into full arbitrary code execution within the WebContent process.
CVE-2025-31277 · CVE-2025-43529 · CVE-2026-20700 -
03First sandbox escape: WebContent → GPU process
From inside the WebContent sandbox, the exploit leverages WebGPU APIs to trigger CVE-2025-14174 — an out-of-bounds write in the ANGLE graphics library. This escapes the WebContent process boundary and pivots execution into the GPU process, which has a broader system footprint.
CVE-2025-14174 -
04Second sandbox escape: GPU process → mediaplaybackd
From the GPU process, the chain moves laterally into
mediaplaybackd, a privileged system media daemon. This positions the exploit closer to kernel-adjacent services and away from browser-tied restrictions. -
05Kernel privilege escalation
Two kernel bugs are chained together: a Copy-on-Write memory management flaw in the
CVE-2025-43510 · CVE-2025-43520AppleM2ScalerCSCDriverand a memory corruption vulnerability in XNU. Together they establish kernel-level read/write access, stripping all remaining sandbox restrictions and giving the attacker full control over the device's memory and processes. -
06Payload injection and exfiltration
The main orchestrator injects JavaScript engines into privileged iOS services — Springboard, Keychain, Wi-Fi subsystem, iCloud, and others — and deploys one of three distinct malware payloads depending on the operator campaign. Data collection and exfiltration happens within seconds to minutes, after which the malware self-cleans. There is no persistence; it's a hit-and-run operation.
All six CVEs, four subsystems, two sandbox escapes. Click any node to jump to its attack chain step above — or click a step to highlight its corresponding nodes. Click empty space to reset.
Three distinct payloads were deployed in different campaigns. The most comprehensive — GHOSTBLADE — represents what a fully weaponised DarkSword infection looks like. Once kernel access is established, the attacker has access to essentially everything the device stores:
-
All communications — SMS and iMessage databases, call history, email, Telegram and WhatsApp message histories
-
All credentials — Keychain passwords, Wi-Fi passwords, Safari saved passwords
-
Financial data — Cryptocurrency wallet keys and seed phrases from Coinbase, Ledger, MetaMask, and Phantom
-
Location and identity — Full location history, contacts, calendar, SIM information, installed app list
-
Files and media — Photos, notes, Health app data, iCloud Drive files
-
Remote access — The GHOSTSABER payload enables ongoing device enumeration and remote command execution
Help Net Security estimated hundreds of millions of devices were exposed at peak, covering the iPhone XR, XS, and the full iPhone 11–16 range — any unpatched device in the iOS 18.4–18.7 window. Real-world campaigns confirmed by researchers include:
UNC6748 (targeting Saudi Arabia, from November 2025) used a Snapchat-themed lure domain and deployed GHOSTBLADE. PARS Defense, a Turkish commercial surveillance vendor, ran operations against targets in Turkey and Malaysia. UNC6353 (Russia-linked) targeted Ukrainian users in December 2025 via the compromised Ukrainian government and news sites, also deploying GHOSTBLADE — likely for intelligence collection.
This isn't theoretical. It was deployed against real targets for months before the security community knew it existed.
All six CVEs are now patched. Apple took the unusual step of backporting DarkSword coverage to iOS 18 for devices that can't or haven't moved to iOS 26, releasing iOS 18.7.7 on April 1, 2026, specifically to close the chain on older hardware. Here's what you should do:
-
01Update immediately
If you're on iOS 26, update to 26.3.1 or later. If you're staying on iOS 18, update to 18.7.7 or later. Both cover the full chain. The final CVE (the PAC bypass, CVE-2026-20700) wasn't patched until iOS 26.3 — earlier incremental patches only partially close the chain.
-
02Enable Lockdown Mode if you can't update right now
Lockdown Mode significantly restricts Safari's JIT compiler — the entry point for Stages 2 and 3 of the chain. It won't stop every CVE in isolation, but it makes the full chain substantially harder to execute. Activate it in Settings → Privacy & Security → Lockdown Mode. Note that this will break some website functionality.
-
03Check for indicators of compromise
Because DarkSword self-cleans, standard forensic signals are limited. Users in high-risk categories — journalists, government employees, activists, executives — should run iVerify or a similar mobile threat detection tool to check for behavioural indicators that the payload ran. Apple also added the delivery infrastructure domains to Safari's Safe Browsing blocklist, but this doesn't help retroactively.
-
04Rotate credentials and review account access
If you believe a device may have been compromised — particularly during the November 2025 – March 2026 window when DarkSword was actively deployed — rotate all passwords stored in Keychain, revoke active sessions on email and cloud accounts, and review any financial or cryptocurrency accounts for unauthorised access. Given that GHOSTBLADE exfiltrates wallet seed phrases, any crypto holdings on affected devices should be considered compromised and migrated to a new wallet immediately.
Full iOS exploit chains have always existed, but they're expensive to build and expensive to burn. The fact that DarkSword was actively deployed in multiple distinct campaigns — by at least three separate threat actors — before Apple had patches in place tells you something important: the gap between "exploit exists" and "patch ships" is not a gap you can afford to ignore.
The other thing worth noting is the hit-and-run operational model. The absence of persistence means traditional endpoint detection looks for the wrong signals. By the time you're investigating, the malware is already gone and the damage is done. The defence here isn't detection — it's removing the attack surface before the chain runs.
Update. Then verify.