Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Mar 23, 2026 · 5 min read

DarkSword Uses 6 Flaws to Hijack iPhones in Seconds—One Visit Is All It Takes

A sophisticated JavaScript based exploit chain targets 221 million iPhones through compromised websites, stealing everything from crypto wallets to iCloud files before you even notice.

A New Threat to Every Recent iPhone

Security researchers at Google, Lookout, and iVerify jointly disclosed on March 18, 2026, the discovery of a highly sophisticated iOS exploit kit dubbed DarkSword. The toolkit chains together six separate vulnerabilities, three of which were zero days at the time of discovery, to achieve full device compromise on any iPhone running iOS 18.4 through 18.7.

That version range covers approximately 14.2% of all active iPhones globally, an estimated 221 million devices. The attack requires no interaction beyond visiting a compromised website in Safari. No clicks, no downloads, no permission prompts. Just loading the page is enough.

iPhone on dark desk surface with ominous red digital reflections suggesting a security threat

How the Attack Chain Works

DarkSword is written entirely in JavaScript and follows a precise five stage attack sequence. When a victim visits a compromised website, a malicious iframe silently loads and fingerprints the device to confirm it is vulnerable.

The chain then exploits two JavaScriptCore memory corruption flaws (CVE-2025-43529 and CVE-2025-31277) to achieve remote code execution inside Safari. From there it breaks out of the WebContent sandbox using a WebGPU vulnerability, injects into the system media daemon (mediaplaybackd), and escalates to kernel level access through two additional memory corruption flaws (CVE-2025-43510 and CVE-2025-43520). A PAC bypass (CVE-2026-20700) defeats Apple's pointer authentication, the final barrier before full device control.

Researchers described the approach as a "hit and run": DarkSword collects and exfiltrates targeted data within seconds or minutes, then cleans up traces of its presence. The entire process is invisible to the user.

What DarkSword Steals

Once the exploit chain achieves kernel level access, it deploys a data miner called GHOSTBLADE. The malware harvests an extensive list of personal information:

  • Emails, SMS messages, and messaging app histories (Telegram, WhatsApp, Signal)
  • iCloud files, photos, contacts, and calendar entries
  • Safari browsing history and saved cookies
  • Cryptocurrency wallet data and private keys
  • Saved passwords, Wi-Fi credentials, and Apple Notes
  • Location history, call logs, and installed app inventory

The breadth of data collection goes well beyond typical malware. DarkSword essentially creates a complete copy of the victim's digital life in a single pass.

Who Is Behind It

Google's Threat Intelligence Group identified multiple threat actors using DarkSword independently. The Russian espionage group tracked as UNC6353, previously observed using the Coruna exploit kit, deployed DarkSword in watering hole campaigns targeting Ukrainian users. Their version delivered the GHOSTBLADE backdoor to collect intelligence on targets of interest.

A separate group tracked as UNC6748 used DarkSword against Saudi Arabian targets as early as November 2025, luring victims through a fake Snapchat website and deploying a different backdoor called GHOSTKNIFE. A Turkish commercial surveillance vendor known as PARS Defense was also observed deploying its own payload, GHOSTSABER, through the same exploit chain.

The fact that state sponsored hackers, commercial surveillance vendors, and criminal operators are all using the same toolkit highlights the accelerating proliferation of offensive mobile capabilities.

How to Protect Yourself

Apple has patched the vulnerabilities across iOS 18.6, 18.7.2, 18.7.3, and iOS 26.x releases. The single most effective defense is updating your iPhone immediately. To check your version, go to Settings, then General, then Software Update.

Additional protective steps include:

  • Enable Lockdown Mode (Settings → Privacy & Security → Lockdown Mode) if you are in a high risk category such as a journalist, activist, or government official
  • Avoid clicking links from unknown sources, especially those shared through messaging apps or social media
  • Review your installed apps and remove anything you do not recognize
  • Consider using a mobile security tool like iVerify to scan for indicators of compromise

DarkSword is the second major iOS exploit kit discovered in a month, following the Coruna disclosure. The pace of these discoveries suggests that iPhone users can no longer assume their device is secure simply because they are running iOS. Keeping your software up to date is no longer optional; it is the front line of defense.