Google Threat Intelligence Group has identified DarkSword, a sophisticated iOS exploit chain utilizing six zero-day vulnerabilities to compromise devices across multiple countries since at least November 2025.

Key Points

• DarkSword targets iOS versions 18.4 through 18.7 to deploy GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER malware families.
• The exploit has been utilized by commercial surveillance vendors and state-sponsored actors in Saudi Arabia, Turkey, Malaysia, and Ukraine.
• The Russian espionage group UNC6353 has incorporated the exploit into their ongoing watering hole campaigns.
• A version of the exploit leaked publicly one week after its initial discovery, leading to broader unauthorized use.
• Security researchers confirm that users who maintain regular software updates are currently protected against these specific vulnerabilities.

Why it Matters

The widespread availability of this exploit chain highlights the increasing risk posed by the proliferation of high-end surveillance tools among diverse threat actors. Regular patching remains the primary defense for users against these sophisticated, government-grade cyber threats.