DarkSword iOS Exploit Chain

Google’s Threat Intelligence Group coordinated disclosure with Lookout and iVerify and traced active use of the toolkit back to November 2025 in multiple, distinct campaigns. (cloud.google.com) Delivery infrastructure included watering‑hole webpages that loaded obfuscated JavaScript and IFrames to drop final‑stage payloads, with researchers characterizing the attacks as “hit‑and‑run” exfiltration that cleans up after execution. (cloud.google.com) Analysts identified three final‑stage malware families used after successful exploitation—GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER—and attributed deployments to operators including the cluster Google labels UNC6353. (cloud.google.com) Industry estimates put the global population of devices still running the vulnerable OS branch between roughly 220 million and 270 million, creating a large remaining attack surface according to iVerify and partner reporting. (iverify.io) GTIG reported the underlying vulnerabilities to Apple in late 2025 and researchers say Apple’s subsequent security releases and Background Security Improvements (including the iOS 26.3/26.3.1(a) cycle) addressed the flaws. (cloud.google.com) Investigators found shared infrastructure with the earlier Coruna kit and signs that large language models were used to customize both exploit stacks, prompting GTIG to add delivery domains to Safe Browsing and to recommend mitigations for unpatchable devices. (cloud.google.com)