DarkSword zero‑click chain
A new 'DarkSword' exploit chain targets iOS 18.4–18.7, enabling zero‑click data extraction via compromised websites and posing a system‑level data exfiltration risk for affected devices. The proof‑of‑concept surfaced in social channels and underscores urgent patching and permissions reviews for sensitive apps. (x.com)
Google’s Threat Intelligence Group attributes the framework to a single chain that leverages six distinct vulnerabilities and drops three final‑stage payload families labeled GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER. (cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain) GTIG traces operational use of DarkSword back to at least November 2025, with observed deployments against targets in Saudi Arabia, Turkey, Malaysia, and Ukraine. (cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain) Published technical reconciliations list the exploited CVEs as CVE‑2026‑20700, CVE‑2025‑43529, CVE‑2025‑14174 (reported as zero‑days) alongside CVE‑2025‑31277, CVE‑2025‑43510, and CVE‑2025‑43520, and map those fixes across iOS 18.x and iOS 26.x security updates. (thehackernews.com/2026/03/darksword-ios-exploit-kit-uses-6-flaws.html) GTIG’s delivery analysis identifies watering‑hole pages that chain multiple JavaScript stages (including a Snapchat‑themed landing page “snapshare.chat” that sets session storage keys and creates iframes) to fetch later exploit stages. (cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain) Binance Wallet and industry reporting link DarkSword activity to targeted theft of crypto‑related credentials and note final payload behavior such as exfiltration of SMS/iMessage data and Wi‑Fi credentials and self‑erasure routines attributed to variants like GHOSTBLADE. (binance.com/en/square/post/03-20-2026-ios-users-urged-to-update-amid-critical-security-vulnerability-303653344265026 / bleepingcomputer.com/news/security/new-darksword-ios-exploit-used-in-infostealer-attack-on-iphones) Google added delivery domains to Safe Browsing, GTIG reported the flaws to Apple in late 2025, and Apple’s security bulletins show fixes rolled into iOS 18.7.x and the iOS 26.3 family of updates alongside background security patches for WebKit. (cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain / support.apple.com/en-us/125885 / support.apple.com/en-us/126346)
