Back to News
Cyber Attack

DarkSword iOS Zero-Day Chain Uses 3 Zero-Days and 6 CVEs for Full Device Takeover

CyberSecurityWaala 1 week ago Mar 19, 2026
DarkSword iOS Zero-Day Chain Uses 3 Zero-Days and 6 CVEs for Full Device Takeover

Researchers have uncovered a powerful iOS exploit kit that can hijack iPhones and siphon private data. Google Threat Intelligence Group, iVerify, and Lookout published coordinated findings about the toolkit named DarkSword.

The kit has been in use since at least November 2025, researchers said. Google and Lookout tied the campaigns to multiple actors, including a group tracked as UNC6353, a suspected Russian-linked espionage actor, and other operators that include UNC6748 and a Turkish vendor named PARS Defense.

DarkSword attacks start when a user visits a compromised web page in Safari. Lookout said the page loads an invisible iframe with JavaScript that fingerprints the device. If the page finds a matching iOS version the chain runs. The result can be a full escape from the browser sandbox and privileged code execution on the device.

How the exploit chain works

Researchers at Google, iVerify, and Lookout found DarkSword uses six distinct vulnerabilities and deploys three payloads. The teams said three of those flaws were used as zero days before Apple issued fixes.

  • Zero days exploited as reported by the teams: CVE-2026-20700, CVE-2025-43529, and CVE-2025-14174.
  • Other flaws in the chain include CVE-2025-31277, CVE-2025-43510, and CVE-2025-43520.
  • Google said Apple patched the vulnerabilities across iOS 18 and iOS 26 releases, with the final fixes included in iOS 26.3.

The technical path is clear. iVerify explained that DarkSword weaponizes JavaScriptCore just-in-time compilation bugs in the Safari renderer to gain remote code execution. The chain then escapes the browser by abusing the GPU process and a media system daemon called mediaplaybackd. Lookout said a follow-on module named GHOSTBLADE then harvests sensitive files and secrets.

Lookout listed the data targeted. It includes emails, iCloud Drive files, contacts, SMS, Safari cookies, passwords, call logs, WiFi credentials, photos, location history, calendar entries, and data from apps such as Telegram and WhatsApp. Lookout said DarkSword also specifically targets a range of cryptocurrency wallet apps.

Who is using DarkSword and why it matters

The researchers tied DarkSword to multiple campaigns targeting Saudi Arabia, Turkey, Malaysia, and Ukraine. iVerify warned the attacks are not narrowly targeted. “For the second time in a month, threat actors have employed waterhole attacks to target iPhone users,” iVerify said. iVerify estimated up to 270 million iPhone users could be vulnerable across affected iOS versions.

Lookout noted a mix of motives. “DarkSword aims to extract an extensive set of personal information, including credentials from the device and specifically targets a plethora of crypto wallet apps, hinting at a financially motivated threat actor,” Lookout said. Justin Albrecht, Lookout’s global director for mobile threat intelligence, told reporters that the kits show both financial theft and surveillance capabilities. “Theyre probably well funded, probably well connected, but its confirmed that theyre stealing crypto,” Albrecht said.

At the same time, the research teams warned that these exploit chains are readily traded. GTIG said the use of DarkSword and the earlier Coruna kit demonstrates “the ongoing risk of exploit proliferation across actors of varying geography and motivation.” Lookout and iVerify highlighted a thriving secondary market for high quality iOS exploits that lowers the bar for attackers.

What users and defenders should do

The researchers said Apple has issued patches. Google and the other teams reported the vulnerabilities to Apple and recommended immediate updates. Lookout emphasized the kit clears traces quickly after exfiltration, so detection windows are short. “This malware is highly sophisticated and appears to be a professionally designed platform,” Lookout said, urging rapid patching and careful review of accounts, wallets, and backups.

In short, keep devices updated and treat unexpected prompts or unusual website redirects as high risk. The discoveries show iPhones remain attractive targets when exploits are available for sale.

#iOSsecurity #ZeroDay #MobileExploit #DarkSword #CyberThreat