GHOSTBLADE iOS exploit

An iPhone exploit chain that can turn one booby-trapped website visit into full device compromise is now tied to a stealer called GHOSTBLADE. (cloud.google.com) Google Threat Intelligence Group disclosed the broader chain, called DarkSword, on March 18, 2026 and said it had been used since at least November 2025 by multiple actors. The researchers said DarkSword supports iOS 18.4 through 18.7 and deploys three payload families: GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER. (cloud.google.com) In plain terms, a full-chain exploit is a stack of bugs that starts in the browser, breaks out of the app’s fenced area, and then grabs system-level control. Google and BleepingComputer said DarkSword combines six flaws spanning Safari and iOS to deliver remote code execution, sandbox escape, and kernel privilege escalation. (cloud.google.com, bleepingcomputer.com) GHOSTBLADE is the grab-and-run part of that chain. Malwarebytes said the JavaScript stealer can pull SMS and iMessage data, call history, contacts, Wi‑Fi credentials, Safari data, location, notes, photos, iCloud Drive files, emails, saved passwords, and chat history from Telegram and WhatsApp. (malwarebytes.com) The same Malwarebytes report said GHOSTBLADE also hunts for cryptocurrency exchange and wallet apps including Coinbase, Binance, Kraken, MetaMask, Exodus, Uniswap, Phantom, Ledger, and Trezor. Lookout said the operation appears built for “hit-and-run” theft, with data exfiltration happening within seconds or minutes before cleanup. (malwarebytes.com, lookout.com) Google said the chain has shown up in campaigns in Saudi Arabia, Turkey, Malaysia, and Ukraine. BleepingComputer said one Saudi campaign used a Snapchat-themed site, while Google said suspected Russian group UNC6353 later incorporated DarkSword into watering-hole attacks against Ukrainian targets. (cloud.google.com, bleepingcomputer.com) The researchers also tied DarkSword to commercial surveillance activity, not just government-linked espionage. Google said it observed commercial surveillance vendors and suspected state-sponsored actors using the same exploit chain, and Lookout said the case points to a second-hand market for top-tier mobile exploits. (cloud.google.com, lookout.com) Apple says the fixes are already out. Apple’s security advisory for iOS 18.7.7, released March 24, 2026, says the update was expanded to more devices on April 1, 2026 so users with Automatic Updates can receive protections from web attacks called DarkSword. (support.apple.com) Lookout said devices on iOS 18.7.3 or later on the iOS 18 branch, and iOS 26.3 or later on the iOS 26 branch, are not susceptible to the vulnerabilities used by DarkSword. Apple said the DarkSword-related fixes first shipped in 2025, which means the immediate risk is concentrated in phones that stayed behind on older builds. (lookout.com, support.apple.com) That leaves the story in a familiar place for iPhone security: the hardest part is no longer finding the patch, but getting every device onto it before one malicious page does the rest. (support.apple.com, cloud.google.com)