Deep Threat to iOS 18 Systems
Recently, a sophisticated iOS exploit kit named "DarkSword" was disclosed in the mobile security sector. According to a joint investigation by mobile security firm Lookout, Google Threat Intelligence Group (GTIG), and iVerify, the exploit chain primarily targets iPhone devices running iOS versions 18.4 through 18.7. Similar to the previously disclosed "Coruna" exploit chain, DarkSword is being utilized by multiple Advanced Persistent Threat (APT) groups and commercial surveillance vendors to steal victims' private information.
Three Major Malware Families and Attack Methods
Investigations reveal that since November 2025, DarkSword has been used to deploy three primary malware families:
1. GHOSTBLADE: A JavaScript-based data harvester capable of stealing cryptocurrency wallet data, system information, browser history, photos, geolocation, and chat content from instant messaging tools such as iMessage, Telegram, and WhatsApp.
2. GHOSTKNIFE: A powerful backdoor program specifically designed to exfiltrate logged-in account information, call logs, and device audio recordings.
3. GHOSTSABER: Another JavaScript backdoor equipped with capabilities for device enumeration, file listing, and remote execution of malicious code.
Active Attack Groups and Geographic Distribution
GTIG's report indicates that DarkSword's attack activities exhibit clear transnational characteristics. The first observed attackers include UNC6748, who targeted users in Saudi Arabia by spoofing the Snapchat website. Additionally, Turkish commercial surveillance vendor PARS Defense has been observed using the tool to conduct operations in Turkey and Malaysia. Alarmingly, the hacker group UNC6353, suspected of having Russian ties, has been using DarkSword to conduct espionage against Ukrainian targets since December 2025.
Technical Evolution and Traces of AI-Assisted Development
Lookout researchers analyzing the DarkSword codebase discovered a disturbing trend: the malware's development process appears to have been assisted by Large Language Models (LLMs). The code contains numerous detailed comments explaining functional logic, demonstrating a high level of professionalization by the attackers. This design not only enhances the maintainability of the malware but also lays the foundation for its subsequent modular expansion.
Defense Recommendations and Security Status
DarkSword leverages six known vulnerabilities, including CVE-2025-31277 and CVE-2025-43529, covering critical stages such as sandbox escape, privilege escalation, and remote code execution. Although the attack process is complex, iVerify notes that Apple has patched these vulnerabilities in the latest iOS versions.
Cybersecurity experts warn that even though DarkSword utilizes known system vulnerabilities, its "1-click attack" initiated via the Safari browser remains highly stealthy. iPhone users are strongly advised to keep their systems updated to the latest version and remain highly vigilant against web links from unknown sources to prevent the injection of memory-resident malicious code into their devices.