TechFlow news: On March 20, according to the Google Threat Intelligence Group (GTIG), Google’s threat intelligence team discovered a full iOS exploit chain named DarkSword. This exploit chain leverages six vulnerabilities—including multiple zero-day vulnerabilities—to achieve complete device compromise. Since November 2025, it has been deployed by multiple commercial surveillance vendors and suspected state-sponsored threat actors in targeted attacks against users in Saudi Arabia, Turkey, Malaysia, and Ukraine.
DarkSword supports iOS versions 18.4 through 18.7. Upon successful compromise, attackers can deploy three types of malware—GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER—all written in JavaScript. These payloads are capable of stealing communication logs, location history, browser data, and cryptocurrency wallet data, as well as recording audio, capturing screenshots, and executing backdoor commands.
GTIG reported these vulnerabilities to Apple at the end of 2025; all vulnerabilities have since been patched in iOS 26.3. The associated domains have been added to Google Safe Browsing’s protection list. Users are advised to immediately update to the latest iOS version.
