DarkSword Advisory EN

SEVERITY: CRITICAL | MALAYSIA IS A CONFIRMED TARGET COUNTRY
DarkSword iOS Exploit Kit
Security Advisory | 20 March 2026 | Sources: Google GTIG, Lookout, iVerify, Malwarebytes
Overview
DarkSword is a full-chain iOS exploit kit written entirely in JavaScript that targets iPhones running iOS 18.4
through 18.7. It chains six vulnerabilities — three of which were exploited as zero-days — to achieve
remote code execution, sandbox escape, privilege escalation, and complete device compromise.
The attack requires only that the victim visits a compromised or malicious website using Safari or any iOS
browser. DarkSword adopts a "hit-and-run" approach: it exfiltrates all targeted data within seconds to
minutes, then cleans up traces and exits the device.
This is the second major iOS exploit kit discovered in the span of one month, following Coruna.
Researchers estimate that approximately 14.2% of iPhone users worldwide (roughly 221 million devices)
remain vulnerable.
Vulnerabilities Exploited
DarkSword chains the following six CVEs:
CVEComponentImpactPatched In
CVE-2025-31277JavaScriptCore (JIT)RCE (iOS <18.6)iOS 18.6
CVE-2025-43529JavaScriptCore (DFG JIT)RCE (iOS
18.6–18.7)
iOS 18.7.3 / 26.2
CVE-2026-20700dyld (Dynamic Linker)PAC bypass, code
exec
iOS 26.3
CVE-2025-14174ANGLE (WebGPU)Sandbox escapeiOS 18.7.3 / 26.2
CVE-2025-43510iOS KernelPrivilege escalationiOS 18.7.2 / 26.1
CVE-2025-43520iOS KernelPrivilege escalationiOS 18.7.2 / 26.1
How the Attack Works
Stage 1 — Entry (Safari/WebKit): A malicious iframe is injected into a compromised website. When an
iPhone loads the page, DarkSword selects the appropriate JavaScriptCore JIT exploit based on the
detected iOS version to achieve remote code execution in the WebContent process.
Stage 2 — Sandbox Escape: The exploit pivots from the WebContent sandbox into the GPU process via
CVE-2025-14174 (ANGLE/WebGPU), then escapes into mediaplaybackd.
Stage 3 — Kernel Access: Kernel vulnerabilities CVE-2025-43510 and CVE-2025-43520 are exploited to
obtain kernel read/write primitives, modify sandbox restrictions, and gain access to privileged processes.

Stage 4 — Data Exfiltration: A JavaScript orchestrator (pe_main.js) injects a JS engine into privileged
iOS services (Keychain, iCloud, Springboard, Wi-Fi) and activates data-stealing modules that collect and
transmit targeted data to the attacker’s server.
Threat Actors Using DarkSword
UNC6748 — Targeted Saudi Arabian users via a fake Snapchat-themed website (November 2025).
PARS Defense (Turkish surveillance vendor) — Deployed by different customers against targets in
Turkey (November 2025) and Malaysia (January 2026), using encrypted exploit delivery with ECDH+AES
and obfuscated loaders.
UNC6353 (suspected Russian, financially motivated) — Conducted watering hole attacks on Ukrainian
government and news websites from December 2025 through March 2026, deploying the GHOSTBLADE
infostealer. Server-side code contained LLM-generated comments, indicating AI-assisted development.
MALAYSIA TARGETING: In January 2026, Google Threat Intelligence Group observed DarkSword
activity in Malaysia associated with a PARS Defense customer. The loader included additional device
fingerprinting logic. This confirmed exploitation activity on Malaysian soil is what prompted MCMC’s
advisory urging immediate iOS updates.
Data Targeted for Exfiltration
Once the device is compromised, DarkSword targets the following:
• Passwords, credentials, and Keychain data
• iCloud Drive files and email
• WhatsApp and Telegram message histories
• SMS, contacts, and call history
• Safari browsing history, cookies, and saved passwords
• Cryptocurrency wallet and exchange app data
• Photos, calendar, Apple Notes, and Apple Health data
• Wi-Fi configuration and saved passwords
• Location history and installed app list
Recommended Actions
1
Update iOS immediately to version 26.3.1 or 18.7.6. These are the latest versions that patch all
six vulnerabilities in the DarkSword chain.
2
Enable Lockdown Mode (Settings → Privacy & Security → Lockdown Mode). This disables JIT
compilation in JavaScriptCore, which neutralises the initial RCE entry point used by DarkSword.
3
Verify update status of all iPhones within your organisation or household. iVerify estimates over
221 million devices worldwide remain unpatched.
4
Monitor for indicators of compromise. Check for unusual data usage spikes, unexpected app
behaviour, or unfamiliar configuration profiles.

About Lockdown Mode
Lockdown Mode is Apple’s extreme protection feature designed for users at high risk of targeted attacks. It
disables JIT compilation in Safari (the exact attack surface DarkSword depends on), blocks most incoming
message attachment types, restricts FaceTime from unknown contacts, and limits other features.
To enable: Settings → Privacy & Security → Lockdown Mode → Turn On. The device will restart.
Trade-offs include slightly slower web browsing, some websites may not render fully, and certain media
features are restricted. For users in high-risk environments, these trade-offs are warranted.
Note: Switching to Chrome, Firefox, or any other browser on iOS does NOT protect against DarkSword.
Apple requires all iOS browsers to use WebKit as their rendering engine. DarkSword exploits
JavaScriptCore (WebKit’s JavaScript engine), which is used by every browser on iOS without exception.
Sources
Google Threat Intelligence Group — "The Proliferation of DarkSword: iOS Exploit Chain Adopted by Multiple Threat Actors" (19 Mar
2026)
Lookout Threat Labs — "Attackers Wielding DarkSword Threaten iOS Users" (18 Mar 2026)
iVerify — DarkSword analysis and impact assessment (18 Mar 2026)
Harian Metro / MCMC — Advisory on iOS security update (20 Mar 2026)
This advisory is prepared for informational sharing purposes. Always verify patch status on your own devices. For the latest iOS
updates, visit Settings → General → Software Update.