DarkSword iOS exploit kit leaked

Google Threat Intelligence Group disclosed DarkSword on March 18, 2026, as a full-chain iOS exploit used by multiple actors, including suspected state-linked operators, against targets in Saudi Arabia, Turkey, Malaysia and Ukraine. GTIG said the chain used multiple zero-days, supported iOS 18.4 through 18.7, and delivered three payload families: GHOSTBLADE, GHOSTKNIFE and GHOSTSABER. (cloud.google.com) Public GitHub repositories and later reporting showed reconstructed or dumped versions of the code circulating online after the disclosure, raising concern that tooling once associated with elite operators could spread more broadly. ### How did DarkSword first come to light? March 18 is the key date because GTIG, Lookout and iVerify published coordinated research that tied DarkSword to active exploitation in the wild. (cloud.google.com) GTIG said it had observed several users of the chain since at least November 2025 and that the exploit had been used in distinct campaigns by commercial surveillance vendors and suspected state-sponsored actors. iVerify said its investigation centered on a watering-hole attack in Ukraine affecting iPhones running iOS 18.4 to 18.6.2, and said the campaign had the potential to affect up to 270 million devices. Lookout said the same likely Russian threat actor linked to the earlier Coruna chain had also deployed DarkSword against Ukrainian users. (cloud.google.com) ### What exactly leaked onto GitHub? GitHub repositories that appeared after the March disclosure described themselves as “reconstruction” or “dump” versions of the DarkSword exploit chain. One repository said it was a “Webpack source code reconstruction,” while another was labeled a “DarkSword exploit chain dump.” Those postings matched broader reporting that a newer version of DarkSword had been published publicly on GitHub. (cloud.google.com) March 24 reporting by CyberScoop said researchers feared the GitHub leak could “democratize” iPhone exploitation. Allan Liska of Recorded Future said iPhone exploitation had largely been the realm of nation-states because of the cost and difficulty of building such tools, while iVerify co-founder Rocky Cole called the GitHub leak “extremely alarming.” (iverify.io) ### What does the exploit chain do on a phone? GTIG said DarkSword is a full-chain exploit that uses six vulnerabilities to fully compromise devices. The group said the chain could deliver GHOSTBLADE, GHOSTKNIFE and GHOSTSABER after a successful compromise and that Apple had patched all vulnerabilities by iOS 26.3, with most fixed earlier. (github.com) Lookout said the chain gave attackers full access to a device with little to no user action beyond visiting a malicious site. It described a “hit-and-run” approach in which data was collected and exfiltrated within seconds or minutes, followed by cleanup. A GitHub indicators repository maintained by the Mobile Verification Toolkit project listed six CVEs associated with the chain. (cyberscoop.com) ### Which actors were linked to DarkSword? GTIG named several users of the chain, including UNC6748, PARS Defense and UNC6353. GTIG described UNC6353 as a suspected Russian espionage group that had previously used Coruna and said it had incorporated DarkSword into watering-hole campaigns. (cloud.google.com) Lookout said the threat actor behind the Ukrainian targeting was “likely Russian.” TechCrunch reported on March 18 that researchers had linked the operation to a group suspected of working at least in part for the Russian government. ### What should iPhone users watch next? Apple’s guidance now centers on updating devices. (lookout.com) GTIG said users should move to the latest iOS version and enable Lockdown Mode if an update is not possible. Apple said it released security updates for iOS 15 and iOS 16 on March 11, 2026, and expanded availability of iOS 18.7.7 on April 1, 2026, to push protections to more devices through Automatic Updates. (cloud.google.com) The next concrete places to watch are Apple’s security releases page, the GTIG DarkSword research page, and the MVT indicators repository, where researchers have posted CVEs, domains, IP addresses and file hashes tied to the chain. (support.apple.com) (cloud.google.com) (lookout.com)