DarkSword: Sophisticated iOS Malware Exploiting Zero-Day Vulnerabilities

DarkSword is a sophisticated iOS malware, likely government-designed, that exploits a full-chain of zero-day vulnerabilities to fully compromise devices running iOS versions 18.4 through 18.7. Google Threat Intelligence Group (GTIG) identified the exploit chain, which uses six distinct vulnerabilities and has been active since at least November 2025, targeting individuals in Saudi Arabia, Turkey, Malaysia, and Ukraine. The malware deploys three final-stage payloads: GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER, and has been utilized by commercial surveillance vendors, suspected state-sponsored actors, and the Russian espionage group UNC6353. A version of DarkSword leaked online approximately one week after its discovery, broadening its potential use. No specific CVE IDs were mentioned in the report.