DarkSword: Full-Chain iOS Zero-Day Exploitation by State Actors

Key Takeaways

On March 18, 2026, Google Threat Intelligence Group (GTIG), iVerify, and Lookout jointly disclosed DarkSword, a full-chain iOS exploit kit that chains six vulnerabilities — three of them zero-days — to achieve complete device compromise on iPhones running iOS versions below 18.7.5 (and below iOS 26.3 on the iOS 26 branch) [1][2][3]. The entire attack is implemented in JavaScript, executing within Safari’s browser engine without requiring any native binary delivery, and successfully bypasses Apple’s Pointer Authentication Codes (PAC) and Trusted Page Reference Owner (TPRO) protection — two of Apple’s primary kernel integrity controls [4]. SiliconANGLE reported that iVerify estimated up to 270 million iPhones remained on vulnerable iOS versions at the time of public disclosure [5].

DarkSword is not a single-actor campaign. GTIG attributed the kit’s deployment to at least three independent operators: UNC6353, a suspected Russian espionage group targeting Ukrainian civilians via watering hole attacks; UNC6748, an unattributed state or state-adjacent actor targeting Saudi Arabian users via social engineering; and PARS Defense, a Turkish commercial surveillance vendor with documented deployments in Turkey and Malaysia [1][6]. The kit’s server-side components contained an unobfuscated artifact labeled “Dark sword file receiver” — from which the kit takes its public name [4]. Multiple reporting outlets additionally note that large language models were used to assist in customizing both DarkSword and its predecessor Coruna, underscoring how AI-assisted development is lowering the technical barrier for advanced mobile exploit construction [7].

The disclosures arrive as the commercial surveillance vendor ecosystem — encompassing Paragon Solutions, Intellexa, and the recently litigated NSO Group — faces mounting regulatory and legal pressure, even as exploit reuse between commercial products and state APT groups becomes a documented structural feature of the iOS threat landscape [8][9][10]. Organizations responsible for the protection of journalists, activists, executives, lawyers, and other high-risk iPhone users must treat DarkSword as evidence of an enduring and evolving threat requiring immediate patching, behavioral monitoring, and the systematic use of Apple’s Lockdown Mode for exposed populations.

Background

The iOS Zero-Day Landscape Entering 2026

Apple’s iOS has long been among the most actively exploited operating systems in the mercenary spyware ecosystem, not despite its security architecture but, in part, because of it: the platform’s ubiquity among high-value targets, its closed software distribution model, and the reliability of its process isolation make a successful iOS exploit extraordinarily valuable to both state actors and commercial surveillance vendors. Google’s Threat Analysis Group has tracked Intellexa alone as responsible for 15 unique zero-days across iOS, Chrome, and Android since 2021 [8]. NSO Group’s Pegasus program was the subject of a U.S. federal jury verdict of $167 million in punitive damages in May 2025 — later reduced on appeal to approximately $4 million — in litigation over zero-click iOS and Android vulnerabilities deployed against approximately 1,400 WhatsApp users [10]. Paragon Solutions’ Graphite spyware exploited CVE-2025-43200, a zero-click iMessage vulnerability patched in iOS 18.3.1, against Italian journalists in early 2025 [9].

Into this ecosystem, Apple’s advisory for CVE-2026-20700 describes it as used in an “extremely sophisticated attack” [11]; DarkSword represents a deployment of this capability across multiple independent state and commercial operators simultaneously, incorporating a dyld zero-day that Apple’s own advisory characterizes with that language. The vulnerability at the heart of CVE-2026-20700 reportedly existed in the underlying dyld code path for nearly two decades before exploitation — a finding that illustrates the longevity of attack surfaces in mature operating systems and the persistent value of legacy code review [12].

DarkSword was publicly disclosed approximately two weeks after Coruna, a separate iOS exploit kit attributed to the same general infrastructure cluster as UNC6353 [7]. The rapid succession of two mass iOS exploit kit disclosures within a single month may mark a qualitative shift in the operational tempo of iOS-focused campaigns, and suggests that the maturation of JavaScript-based exploit delivery has reached a threshold where state-adjacent actors can now assemble, adapt, and deploy sophisticated exploit chains without traditional binary reverse-engineering expertise.

CVE-2026-20700: The Anchor Zero-Day

CVE-2026-20700 is a memory corruption vulnerability in dyld, Apple’s Dynamic Link Editor responsible for loading dynamic libraries across all Apple operating systems. An attacker who has already achieved memory write access through earlier stages of the exploit chain — specifically via the JavaScriptCore renderer exploit — can leverage this flaw to bypass both Pointer Authentication Codes (PAC) and Apple’s Trusted Page Reference Owner (TPRO) protection, achieving arbitrary code execution at the system level [11][12]. Apple patched CVE-2026-20700 on February 11, 2026, in iOS 26.3 and iPadOS 26.3; a backport to the iOS 18.x branch was pending at the time of that initial disclosure. Apple assigned the vulnerability a CVSS score of 7.8. CISA added it to the Known Exploited Vulnerabilities (KEV) catalog and mandated Federal Civilian Executive Branch agency remediation by March 5, 2026 [13]. The full DarkSword chain was not documented until March 18, after additional CVEs were identified and patched across multiple iOS versions beginning in late 2025.

Security Analysis

The Six-Vulnerability Chain

DarkSword achieves full device compromise through a sequenced exploit chain spanning the WebKit renderer, GPU subsystem, dynamic linker, and kernel. The six components and their patch status are documented below.

Delivery begins when a victim visits a compromised or attacker-controlled website in Safari. A malicious <iframe> loads JavaScript files including rce_loader.js and rce_module.js, which first fingerprint the device to confirm iOS version and browser characteristics before proceeding [4]. The renderer exploit stage uses CVE-2025-31277 and CVE-2025-43529 to trigger memory corruption in JavaScriptCore, achieving code execution within the WebContent process. From there, CVE-2025-14174 — an ANGLE memory corruption bug in the GPU rendering stack — injects malicious code into the mediaplaybackd system daemon via WebGPU, escaping the WebContent sandbox entirely [4]. The PAC/TPRO bypass via CVE-2026-20700 then disables Apple’s two most significant kernel integrity protections, enabling the final kernel privilege escalation through CVE-2025-43510 and CVE-2025-43520. The JavaScriptCore framework is subsequently force-injected into system daemons including configd, wifid, securityd, and UserEventAgent, from which the payload performs data staging and exfiltrates to C2 infrastructure before deleting staged files and exiting [4]. The total device dwell time is measured in minutes rather than providing persistent implantation — a design choice that GTIG and Lookout assess was intended to reduce forensic detectability at the cost of ongoing access [1][4].

Three Payload Families and Their Operators

GTIG documented three distinct JavaScript-based malware families deployed post-exploitation, each associated with a different operator cluster. GHOSTBLADE, deployed by UNC6353, is a data miner targeting SMS and iMessage threads, messaging application chats, call logs, contacts, browser cookies, and cryptocurrency exchange and wallet applications [1]. The explicit targeting of crypto asset applications — including Coinbase, Binance, Ledger, and MetaMask — alongside traditional espionage-relevant data categories is consistent with GTIG’s assessment that UNC6353 uses financial theft to supplement state-aligned intelligence collection, a pattern GTIG assesses reflects resource pressures on Russia’s wartime intelligence apparatus [1]. GHOSTKNIFE, deployed by UNC6748 in the Saudi Arabia campaign, extends this capability with the addition of audio recording from the device microphone and the ability to capture screenshots and download additional files [1]. GHOSTSABER, the least-documented of the three, performs device enumeration and file exfiltration; code references to audio recording are present but reportedly not yet implemented, indicating active development [1]. The breadth of data targeted across all three families — encompassing messages, credentials, location history, iCloud Drive contents, keychain data, and financial application sessions — reflects the comprehensive device access that a successful kernel-level iOS exploit affords.

The Multi-Actor Reuse Model

The simultaneous deployment of a single exploit kit across state espionage and commercial surveillance channels represents a convergence pattern that security researchers have previously documented in the relationship between APT29 and Intellexa. Google TAG reported in 2024 that APT29 used iOS and Chrome exploits with mechanisms “exactly matching” those of Intellexa’s Predator toolkit in watering hole attacks against Mongolian government websites, though the acquisition pathway from commercial vendor to intelligence service was not confirmed [8]. DarkSword makes this convergence explicit: PARS Defense, a Turkish commercial vendor, implemented additional operational security improvements over UNC6353’s deployment — specifically, ECDH key exchange to encrypt exploit stages in transit — suggesting independent technical teams adapting the same underlying kit for distinct customer requirements [1][6].

The use of LLM-generated code to customize the exploit chain is reported by CyberScoop, citing Lookout analysis that “someone used a large language model to customize both Coruna and DarkSword” [7]. While the precise scope of AI assistance remains uncertain, the reported involvement of language models in adapting both DarkSword and its Coruna predecessor is consistent with an emerging pattern in which AI tooling may reduce the expertise threshold for mobile exploit development and enable actors without deep vulnerability research capability to deploy and modify sophisticated chains acquired through commercial or state-to-state supply chains.

Infrastructure and Indicators of Compromise

Lookout’s technical analysis identified the following attacker infrastructure associated with DarkSword deployments [4].

Defenders should query endpoint detection systems, DNS logs, and proxy logs for communications to these indicators. Because DarkSword is JavaScript-delivered and performs cleanup after execution, traditional binary IOC scanning will not identify post-exploitation activity in most environments.

Recommendations

Immediate Actions

The most consequential immediate action for any organization is iOS patch deployment. The full DarkSword chain requires iOS versions below 18.7.5 or 26.3 on the device pathway, with CVE-2026-20700 patched in iOS 26.3 and earlier chain components patched across iOS 18.6 through 18.7.3. Organizations with mobile device management capabilities should audit enrolled devices for compliance and escalate unpatched devices as critical findings. For individuals who have received Apple Threat Notifications via the Apple ID account page or from threat-notifications@email.apple.com, Lockdown Mode should be enabled immediately and forensic examination through a mobile security vendor should be considered [14][15].

Organizations responsible for high-risk users — journalists, legal professionals, political opposition figures, civil society organizations, corporate executives with sensitive deal exposure — should deploy specialized mobile endpoint tools such as iVerify or Lookout capable of behavioral anomaly detection rather than relying solely on platform-level controls. Apple confirmed in prior reporting that Lockdown Mode successfully blocked an analogous WebKit-based iOS exploit deployed by APT29 against Mongolian government targets [8], suggesting the mode’s attack surface reduction may be operationally effective against this class of chain, though independent validation on the DarkSword chain specifically has not been reported. The mode does impose usability constraints that require user communication and organizational preparation.

Short-Term Mitigations

Security teams should review mobile policies to require prompt iOS updates as a condition of enterprise access and to prohibit the use of unmanaged personal devices for accessing sensitive corporate data in high-risk user populations. DNS-layer controls that block communication to known DarkSword C2 infrastructure can interrupt post-exploitation exfiltration even on devices where the renderer exploit has already executed, since the staged data must traverse the network to reach attacker infrastructure. Organizations using cloud-based email or messaging platforms should review access logs for anomalous logins from new device identifiers around the November 2025 through March 2026 window coinciding with documented DarkSword activity, as harvested session cookies and credentials may have already been used for follow-on access [4].

Mobile application developers integrating sensitive credential or financial data should review their iOS app implementations for reliance on keychain access controls that assume device integrity, since a kernel-level compromise of the type DarkSword achieves invalidates those assumptions. Applications handling cryptocurrency assets, healthcare records, or legal matter data represent elevated-priority targets based on DarkSword’s demonstrated payload priorities.

Strategic Considerations

DarkSword illustrates that the commercial surveillance vendor ecosystem and state-sponsored exploit programs have evolved into an interdependent supply chain rather than parallel but separate threat actors. Commercial vendors develop and productize exploit chains; state actors acquire, adapt, or replicate those chains; and the underlying vulnerabilities — some present in platform code for decades — are exhausted through use rather than discovered independently in parallel. This structural reality requires that organizational security strategies treat iOS zero-day exploitation not as a theoretical capability possessed only by the most sophisticated nation-states, but as an operationally accessible technique for any actor with the budget to acquire commercial tooling or the relationships to obtain state-developed capabilities.

The reported LLM-assisted customization of DarkSword warrants sustained attention from the CSA AI Safety Initiative community. If large language models can materially lower the expertise threshold for adapting full-chain iOS exploit kits, the barrier separating technically capable from technically limited threat actors for the most demanding category of mobile attack would be compressing. This has direct implications for the threat models that security architects maintain for mobile device populations: the capability tier associated with iOS zero-day exploitation should be revised downward in likelihood estimates, not because the technical difficulty has decreased in absolute terms, but because the market for AI-assisted exploit adaptation is expanding.

CSA Resource Alignment

DarkSword’s multi-actor deployment pattern and LLM-assisted development connect directly to several areas of active CSA AI Safety Initiative guidance. The MAESTRO framework (Machine Learning Threat and Risk Ontology) addresses the attack surface expansion that results when AI capabilities are integrated into offensive security tooling — the reported use of language models to customize DarkSword represents a concrete instantiation of MAESTRO’s concern with AI-enabled adversarial capability acceleration. Security architects designing AI-assisted development environments should consider whether their tooling could be abused to lower barriers for malicious code adaptation, and implement appropriate controls on model access to sensitive exploit-relevant technical content.

The CSA AI Organizational Responsibilities guidance is applicable to organizations managing high-risk user populations on iOS devices. The guidance emphasizes that AI-capable threat actors require organizations to systematically reassess their threat models and update mobile device management policies accordingly. The Zero Trust guidance published by CSA is directly applicable to the credential and session theft enabled by DarkSword’s payload families: organizations that have implemented continuous verification and device health attestation as conditions of access will be better positioned to detect and contain the downstream consequences of a successful iOS compromise, even when the device-level exploit itself cannot be detected in real time. Given that AICM supersedes CCM as the recommended framework for AI-influenced environments, organizations should specifically review AICM’s controls addressing AI-augmented threat capabilities in their mobile security posture assessments. The AICM domains covering endpoint security, identity and access management, and incident response provide a structured control framework for addressing the organizational gaps that DarkSword’s exfiltration of keychain data, session cookies, and cloud application credentials can exploit.

References

[1] Google Threat Intelligence Group (GTIG), “The Proliferation of DarkSword,” Google Cloud Blog, March 18, 2026. https://cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain

[2] iVerify, “iVerify Details DarkSword: Second Mass Attack Against iOS Disclosed in Two Weeks,” Press Release, March 18, 2026. https://iverify.io/press-releases/iverify-details-darksword-second-mass-attack-against-ios-disclosed-in-two-weeks

[3] Lookout Threat Intelligence, “Attackers Wielding DarkSword Threaten iOS Users,” Lookout, March 18, 2026. https://www.lookout.com/threat-intelligence/article/darksword

[4] Lookout Threat Intelligence, “Attackers Wielding DarkSword Threaten iOS Users,” Lookout, March 18, 2026. https://www.lookout.com/threat-intelligence/article/darksword (same article as [3]; technical details on JavaScript delivery, C2 infrastructure, daemon injection, and dwell-time behavior are drawn from this source)

[5] SiliconANGLE, “Researchers Discover Zero-Day DarkSword Exploit Chain for iOS 18,” March 18, 2026. https://siliconangle.com/2026/03/18/researchers-discover-zero-day-darksword-exploit-chain-ios-18/

[6] The Register, “DarkSword Exploit Kit Steals iPhone Data,” March 18, 2026. https://www.theregister.com/2026/03/18/darksword_exploit_kit_steals_iphone/

[7] CyberScoop, “Second iOS Exploit Kit Emerges from Suspected Russian Hackers Using Possible U.S. Government-Developed Tools,” March 18, 2026. https://cyberscoop.com/second-ios-exploit-kit-emerges-from-suspected-russian-hackers-using-possible-u-s-government-developed-tools/

[8] Google GTIG / Threat Analysis Group, “Intellexa Zero-Day Exploits Continue,” Google Cloud Blog. https://cloud.google.com/blog/topics/threat-intelligence/intellexa-zero-day-exploits-continue; SecurityAffairs, “APT29 Reused NSO Group and Intellexa Mobile Exploits,” https://securityaffairs.com/167797/apt/apt29-nso-group-and-intellexa-mobile-exploits.html

[9] Citizen Lab, “First Forensic Confirmation of Paragon’s iOS Mercenary Spyware Finds Journalists Targeted,” 2025. https://citizenlab.ca/research/first-forensic-confirmation-of-paragons-ios-mercenary-spyware-finds-journalists-targeted/

[10] Axios, “NSO Group Ordered to Pay $167 Million in WhatsApp Spyware Case,” May 6, 2025. https://www.axios.com/2025/05/06/nso-group-whatsapp-jury-damages

[11] Apple, “iOS 26.3 Security Content,” Apple Support, February 11, 2026. https://support.apple.com/en-us/126346; SecurityWeek, “Apple Patches iOS Zero-Day Exploited in Extremely Sophisticated Attack.” https://www.securityweek.com/apple-patches-ios-zero-day-exploited-in-extremely-sophisticated-attack/

[12] CPO Magazine, “Apple Patches Ancient Zero-Day Vulnerability Present in iOS for Nearly Two Decades.” https://www.cpomagazine.com/cyber-security/apple-patches-ancient-zero-day-vulnerability-present-in-ios-for-nearly-two-decades/; Help Net Security, “CVE-2026-20700,” February 12, 2026. https://www.helpnetsecurity.com/2026/02/12/apple-zero-day-fixed-cve-2026-20700/

[13] CISA Known Exploited Vulnerabilities Catalog, CVE-2026-20700, remediation deadline March 5, 2026. https://www.cisa.gov/known-exploited-vulnerabilities-catalog; SOC Prime, “CVE-2026-20700 Vulnerability.” https://socprime.com/blog/cve-2026-20700-vulnerability/

[14] Apple Support, “About Apple Threat Notifications and Protecting Against Mercenary Spyware.” https://support.apple.com/en-us/102174

[15] iVerify, “So You’ve Got an Apple Threat Notification — What Now?” https://iverify.io/blog/so-you-ve-got-an-apple-threat-notification-what-now

Additional Sources

The following sources were consulted during research and provide additional coverage of DarkSword and its context. They are not directly cited inline but support the overall analytical picture.

[16] The Hacker News, “DarkSword iOS Exploit Kit Uses 6 Flaws, 3 Zero-Days,” March 18, 2026. https://thehackernews.com/2026/03/darksword-ios-exploit-kit-uses-6-flaws.html

[17] TechCrunch, “Russians Caught Stealing Personal Data from Ukrainians with New Advanced iPhone Hacking Tools,” March 18, 2026. https://techcrunch.com/2026/03/18/russians-caught-stealing-personal-data-from-ukrainians-with-new-advanced-iphone-hacking-tools/

[18] Dark Reading, “DarkSword iPhone Exploit Serves Spies and Thieves,” March 18, 2026. https://www.darkreading.com/threat-intelligence/darksword-iphone-exploit-spies-thieves

[19] BleepingComputer, “New DarkSword iOS Exploit Used in Infostealer Attack on iPhones,” March 18, 2026. https://www.bleepingcomputer.com/news/security/new-darksword-ios-exploit-used-in-infostealer-attack-on-iphones/

[20] NVD, CVE-2025-43529. https://nvd.nist.gov/vuln/detail/CVE-2025-43529; Apple, iOS 18.7.3 Security Content. https://support.apple.com/en-us/125885

[21] Amnesty International Security Lab, “Intellexa Leaks: Predator Spyware Operations Exposed,” December 2025. https://securitylab.amnesty.org/latest/2025/12/intellexa-leaks-predator-spyware-operations-exposed/

[22] SecurityWeek, “DarkSword iOS Exploit Kit Used by State-Sponsored Hackers, Spyware Vendors,” March 18, 2026. https://www.securityweek.com/darksword-ios-exploit-kit-used-by-state-sponsored-hackers-spyware-vendors/