DarkSword Advisory
SEVERITY: CRITICAL | MALAYSIA IS A CONFIRMED TARGET COUNTRYDarkSword iOS Exploit KitSecurity Advisory | 20 March 2026 | Sources: Google GTIG, Lookout, iVerify, MalwarebytesOverviewDarkSword is a full-chain iOS exploit kit written entirely in JavaScript that targets iPhones…
DarkSword iOS Exploit Kit
Security Advisory — 20 March 2026
Sources: Google GTIG, Lookout, iVerify, Malwarebytes
• • •
Overview
DarkSword is a full-chain iOS exploit kit written entirely in JavaScript that targets iPhones running iOS 18.4 through 18.7. It chains six vulnerabilities — three of which were exploited as zero-days — to achieve remote code execution, sandbox escape, privilege escalation, and complete device compromise.
The attack requires only that the victim visits a compromised or malicious website using Safari or any iOS browser. DarkSword adopts a “hit-and-run” approach: it exfiltrates all targeted data within seconds to minutes, then cleans up traces and exits the device.
This is the second major iOS exploit kit discovered in the span of one month, following Coruna. Researchers estimate that approximately 14.2% of iPhone users worldwide (roughly 221 million devices) remain vulnerable.
• • •
Vulnerabilities Exploited
DarkSword chains the following six CVEs:
| CVE | Component | Impact | Patched In |
|---|---|---|---|
| CVE-2025-31277 | JavaScriptCore (JIT) | RCE (iOS <18.6) | iOS 18.6 |
| CVE-2025-43529 | JavaScriptCore (DFG JIT) | RCE (iOS 18.6–18.7) | iOS 18.7.3 / 26.2 |
| CVE-2026-20700 | dyld (Dynamic Linker) | PAC bypass, code exec | iOS 26.3 |
| CVE-2025-14174 | ANGLE (WebGPU) | Sandbox escape | iOS 18.7.3 / 26.2 |
| CVE-2025-43510 | iOS Kernel | Privilege escalation | iOS 18.7.2 / 26.1 |
| CVE-2025-43520 | iOS Kernel | Privilege escalation | iOS 18.7.2 / 26.1 |
• • •
How the Attack Works
Stage 1 — Entry (Safari/WebKit)
A malicious iframe is injected into a compromised website. When an iPhone loads the page, DarkSword selects the appropriate JavaScriptCore JIT exploit based on the detected iOS version to achieve remote code execution in the WebContent process.
Stage 2 — Sandbox Escape
The exploit pivots from the WebContent sandbox into the GPU process via CVE-2025-14174 (ANGLE/WebGPU), then escapes into mediaplaybackd.
Stage 3 — Kernel Access
Kernel vulnerabilities CVE-2025-43510 and CVE-2025-43520 are exploited to obtain kernel read/write primitives, modify sandbox restrictions, and gain access to privileged processes.
Stage 4 — Data Exfiltration
A JavaScript orchestrator (pe_main.js) injects a JS engine into privileged iOS services (Keychain, iCloud, Springboard, Wi-Fi) and activates data-stealing modules that collect and transmit targeted data to the attacker’s server.
• • •
Threat Actors Using DarkSword
• UNC6748: Targeted Saudi Arabian users via a fake Snapchat-themed website (November 2025).
• PARS Defense (Turkish surveillance vendor): Deployed by different customers against targets in Turkey (November 2025) and Malaysia (January 2026), using encrypted exploit delivery with ECDH+AES and obfuscated loaders.
• UNC6353 (suspected Russian, financially motivated): Conducted watering hole attacks on Ukrainian government and news websites from December 2025 through March 2026, deploying the GHOSTBLADE infostealer. Server-side code contained LLM-generated comments, indicating AI-assisted development.
• • •
Data Targeted for Exfiltration
Once the device is compromised, DarkSword targets the following:
• Passwords, credentials, and Keychain data
• iCloud Drive files and email
• WhatsApp and Telegram message histories
• SMS, contacts, and call history
• Safari browsing history, cookies, and saved passwords
• Cryptocurrency wallet and exchange app data
• Photos, calendar, Apple Notes, and Apple Health data
• Wi-Fi configuration and saved passwords
• Location history and installed app list
• • •
Recommended Actions
1. Update iOS immediately to version 26.3.1 or 18.7.6. These are the latest versions that patch all six vulnerabilities in the DarkSword chain.
2. Enable Lockdown Mode (Settings → Privacy & Security → Lockdown Mode). This disables JIT compilation in JavaScriptCore, which neutralises the initial RCE entry point used by DarkSword.
3. Verify update status of all iPhones within your organisation or household. iVerify estimates over 221 million devices worldwide remain unpatched.
4. Monitor for indicators of compromise. Check for unusual data usage spikes, unexpected app behaviour, or unfamiliar configuration profiles.
About Lockdown Mode
Lockdown Mode is Apple’s extreme protection feature designed for users at high risk of targeted attacks. It disables JIT compilation in Safari (the exact attack surface DarkSword depends on), blocks most incoming message attachment types, restricts FaceTime from unknown contacts, and limits other features.
To enable: Settings → Privacy & Security → Lockdown Mode → Turn On. The device will restart.
Trade-offs include slightly slower web browsing, some websites may not render fully, and certain media features are restricted. For users in high-risk environments, these trade-offs are warranted.
• • •
Sources
• Google Threat Intelligence Group — “The Proliferation of DarkSword: iOS Exploit Chain Adopted by Multiple Threat Actors” (19 Mar 2026)
• Lookout Threat Labs — “Attackers Wielding DarkSword Threaten iOS Users” (18 Mar 2026)
• iVerify — DarkSword analysis and impact assessment (18 Mar 2026)
• Harian Metro / MCMC — Advisory on iOS security update (20 Mar 2026)
• • •
Ilahi anta maqsudi wa ridhaka matlubi,
aʼtini mahabbataka wa maʼrifataka
Prepared by TXIO Fusion Solutions
This advisory is prepared for informational sharing purposes. Always verify patch status on your own devices. For the latest iOS updates, visit Settings → General → Software Update.