Critical iOS 'DarkSword' exploit alert
Security researchers warned of a critical iOS exploit dubbed 'DarkSword' affecting iOS 18.4–18.7 that enables zero‑click data theft — device updates were strongly urged. For platform and security teams, it's a reminder that an aggressive patch cadence and silent mitigations are operational necessities (x.com).
Google’s Threat Intelligence Group says DarkSword is a full-chain iOS exploit first observed in November 2025 that chains six distinct vulnerabilities—including three zero‑days—to silently compromise devices and deploy three final‑stage families named GHOSTBLADE, GHOSTKNIFE and GHOSTSABER. (cloud.google.com) GTIG traced active DarkSword deployments to multiple actors and four target countries—Saudi Arabia, Turkey, Malaysia and Ukraine—and reported the vulnerabilities to Apple in late 2025. (cloud.google.com) Security coverage noted that many devices still on iOS 18 left large exposure: outlets reporting researcher estimates flagged roughly 270 million devices still running iOS 18, while GTIG says DarkSword specifically targets iOS 18.4–18.7. (xda-developers.com) Google’s advisory states the issues were addressed as part of iOS 26.3 and that Apple published fixes for iOS 18 via point releases such as iOS 18.7.3 in its security‑content notes. (cloud.google.com) Analysts and vendors say GHOSTBLADE focuses on extracting wallet seed phrases, wallet database files and session credentials and exfiltrates that data to attacker‑controlled servers before executing cleanup routines. (thecoinomist.com) GTIG added DarkSword delivery domains to Safe Browsing and Apple’s Background Security Improvements mechanism—introduced for iOS 26.x to deliver between‑release mitigations—was highlighted as an operational lever for devices that cannot immediately install major updates. (cloud.google.com)
