New iPhone exploit toolkits
Researchers confirmed two sophisticated iPhone attack toolkits—DarkSword and Karuna—are being used to exfiltrate passwords, photos, messages and crypto, with DarkSword actively targeting iOS users via compromised web content. ( )
Google’s Threat Intelligence Group published a coordinated analysis of the DarkSword iOS exploit chain alongside Lookout Threat Labs and iVerify on March 18, 2026. (cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain) DarkSword targets iOS 18 releases (officially supported across 18.4–18.7 with some variants limited to 18.4–18.6.2) and researchers identified three final-stage malware families deployed by the chain named GHOSTBLADE, GHOSTKNIFE and GHOSTSABER. (cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain) The exploit chain leverages six tracked CVEs — CVE‑2025‑31277, CVE‑2025‑43529, CVE‑2026‑20700, CVE‑2025‑14174, CVE‑2025‑43510 and CVE‑2025‑43520 — which researchers say were used as zero‑days prior to being fixed. (bleepingcomputer.com/news/security/new-darksword-ios-exploit-used-in-infostealer-attack-on-iphones/) Delivery is browser‑based: the chain is invoked from malicious iframes on compromised web pages, runs as a largely “fileless” JavaScript orchestrator (pe_main.js) and injects a JavaScript engine into privileged iOS services to obtain kernel read/write and execute data‑stealing modules. (bleepingcomputer.com/news/security/new-darksword-ios-exploit-used-in-infostealer-attack-on-iphones/) GTIG traced DarkSword’s use to multiple actors including a suspected Russian espionage cluster tracked as UNC6353 and observed campaigns in Saudi Arabia, Turkey, Malaysia and Ukraine, and researchers report infrastructure overlap between DarkSword and the earlier Coruna exploit kit. (cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain) iVerify estimated as many as 270 million iPhones running iOS 18 could be in the affected cohort. (iverify.io/press-releases/iverify-details-darksword-second-mass-attack-against-ios-disclosed-in-two-weeks) Apple developer statistics place roughly 24% of devices on some iOS 18 build, and GTIG/partners note the vulnerabilities were patched in iOS 26 (with researchers recommending updating to iOS 26 or enabling Lockdown Mode where updates aren’t possible). (www.engadget.com/cybersecurity/a-new-iphone-hacking-tool-puts-some-ios-18-users-at-risk-203745666.html)
