DarkSword iPhone Spyware Exposed. Russia-Linked Group Weaponized Ukrainian Websites to Silently Compromise 220 Million Vulnerable Devices
A full-chain iOS exploit called DarkSword has been silently compromising iPhones since November 2025, deployed through watering hole attacks on Ukrainian news and government websites by the Russia-linked group UNC6353. The exploit chains six zero-day vulnerabilities to achieve kernel privileges and deploys three malware families that steal everything from crypto wallets to iCloud data before self-destructing within minutes. An estimated 220 million iPhones running iOS 18.4 through 18.7 were in the blast radius.
There is a new kind of iPhone spyware in the wild, and it does not need you to click anything. It does not need you to install anything. You just have to visit the wrong website.
Researchers at Google's Threat Intelligence Group (GTIG), Lookout, and iVerify have jointly disclosed a full-chain iOS exploit called DarkSword that has been actively compromising iPhones since at least November 2025. The exploit targets devices running iOS 18.4 through 18.7, a range that researchers estimate covers roughly 220 to 270 million iPhones worldwide that have not yet updated to the latest software.
The campaign was discovered after investigators found DarkSword hosted on the same infrastructure as Coruna, another sophisticated iOS exploit kit exposed earlier in March 2026. But where Coruna targeted older iOS versions, DarkSword goes after modern devices with a level of technical sophistication that places it firmly in the nation-state category.
Google attributes the primary deployment of DarkSword with high confidence to UNC6353, a Russia-aligned threat cluster that has been using the exploit to conduct watering hole attacks against Ukrainian targets, including a regional news outlet and a government domain. Separately, commercial surveillance vendors have also been observed deploying DarkSword against targets in Saudi Arabia, Turkey, and Malaysia.
How the Attack Works
DarkSword is a watering hole exploit. The attacker compromises a legitimate website and injects the exploit code into the page. When a victim with a vulnerable iPhone visits that website using Safari, the entire exploit chain fires silently in the background. There is no pop-up, no download prompt, no indication that anything has happened. The phone is compromised before the page finishes loading.
The exploit is written entirely in JavaScript and chains six separate vulnerabilities to go from a webpage visit to full kernel-level access:
Step 1: Browser Code Execution
The chain begins with one of two JavaScriptCore JIT vulnerabilities, depending on which iOS version the target is running:
| CVE | Type | Target iOS | Patched In |
|---|---|---|---|
| CVE-2025-31277 | JIT type confusion | iOS 18.4 to 18.5 | iOS 18.6 |
| CVE-2025-43529 | DFG garbage collection bug | iOS 18.6 to 18.7 | iOS 18.7.3 / iOS 26.2 |
These bugs allow the attacker to achieve remote code execution inside the Safari renderer process by triggering a memory corruption in the JavaScript engine. The victim does not interact with the page in any way beyond loading it.
Step 2: Sandbox Escape
Once running inside the browser, the exploit uses CVE-2025-14174, a memory corruption flaw in ANGLE (the graphics abstraction layer), to break out of Safari's sandbox. This is the barrier Apple designed to prevent browser compromises from reaching the rest of the operating system.
Step 3: PAC Bypass
Apple's Pointer Authentication Codes (PAC) are supposed to prevent control-flow hijacking by cryptographically signing function pointers. DarkSword bypasses this protection using CVE-2026-20700, a flaw in dyld (Apple's dynamic linker). With PAC defeated, the attacker can redirect execution to arbitrary code.
Step 4: Kernel Exploitation
Two kernel vulnerabilities complete the chain:
| CVE | Type | Effect |
|---|---|---|
| CVE-2025-43510 | Kernel memory management flaw | Arbitrary kernel read/write |
| CVE-2025-43520 | Kernel memory corruption | Privilege escalation to kernel |
At this point, the attacker has full kernel privileges. They can read and write any memory on the device, execute any function, and access any data. The iPhone is completely owned.
Step 5: Payload Deployment
With kernel access secured, DarkSword injects and executes JavaScript-based malware payloads that steal everything of value on the device.
The Three GHOST Malware Families
DarkSword does not deploy a single payload. Depending on the campaign and the target, one of three distinct malware families is loaded:
GHOSTBLADE (Dataminer)
GHOSTBLADE is the most commonly deployed payload. It is a comprehensive data extraction tool that targets:
- SMS and iMessage databases (full conversation histories)
- Call logs, contacts, calendar entries, and notes
- Safari browsing history and saved passwords
- iCloud Drive files and Apple Health records
- Photos metadata and geolocation history
- Wi-Fi passwords and device keychains
- Cryptocurrency wallet credentials and keys
- Installed application lists and device identifiers
- Mail indexes and email account data
GHOSTBLADE operates in a hit-and-run pattern. It extracts everything it needs within minutes, exfiltrates the data to attacker infrastructure, and then removes itself from the device. After a reboot, there is no trace of the malware on the phone. This makes forensic analysis extremely difficult because by the time anyone suspects something is wrong, the spyware is already gone.
GHOSTKNIFE (Backdoor)
GHOSTKNIFE provides persistent access capabilities beyond simple data theft. It can:
- Exfiltrate signed-in account credentials
- Extract messages from WhatsApp, Telegram, and Signal
- Collect browser data and browsing history
- Track location history continuously
- Record audio (ambient listening)
GHOSTSABER (JavaScript Backdoor)
GHOSTSABER is a more interactive implant that gives operators the ability to:
- Enumerate devices and connected accounts
- Browse and list files on the device
- Execute arbitrary JavaScript code remotely
- Selectively steal specific data on demand
The Ukrainian Campaign
The primary use of DarkSword that triggered its discovery was a watering hole campaign run by UNC6353 against Ukrainian targets. The group compromised dozens of legitimate Ukrainian websites, including at least one regional news outlet and one government domain, and injected the DarkSword exploit into their pages.
The logic is straightforward and ruthless: if you are a Ukrainian government official, journalist, military officer, or aid worker, you probably read Ukrainian news. You probably visit government portals. If you do so from an iPhone running iOS 18.4 through 18.7 and you have not installed the latest update, your device is silently compromised the moment the page loads. Your messages, contacts, location history, passwords, and crypto wallets are extracted and sent to UNC6353's infrastructure within minutes. Then the spyware erases itself, and you have no idea it was ever there.
This is wartime surveillance at its most efficient. No phishing email to ignore. No suspicious app to decline. No prompt to dismiss. The exploit is completely invisible to the user.
Who Is UNC6353?
UNC6353 is a Russia-aligned threat cluster tracked by Google's Threat Intelligence Group. The group demonstrates capabilities consistent with state-sponsored espionage operations.
Key characteristics:
- Previously observed deploying the Coruna iOS exploit kit against similar targets
- Operational since at least late 2025, with activity intensifying in early 2026
- Primary targeting aligns with Russian intelligence priorities: Ukrainian government, military, media, and civil society
- Infrastructure shared with Coruna suggests access to a well-resourced exploit development pipeline
- The combination of espionage and cryptocurrency theft suggests dual motivation: intelligence collection and financial gain
Google, Lookout, and iVerify have all attributed DarkSword activity to UNC6353 with high confidence, based on infrastructure overlap, targeting patterns, and technical indicators.
Commercial Surveillance Vendors Are Also Using DarkSword
UNC6353 is not the only group deploying this exploit. Google has observed a separate threat cluster tracked as UNC6748, described as a commercial surveillance vendor, using DarkSword to target individuals in:
- Saudi Arabia
- Turkey
- Malaysia
This is a familiar pattern. Sophisticated exploits developed by one group often end up in the hands of commercial spyware operators who sell access to governments and private clients. The fact that DarkSword is already in the hands of multiple operators suggests a robust underground market for iOS exploit chains.
Connection to Coruna
DarkSword was discovered because Lookout researchers found it hosted on the same servers as Coruna, a separate iOS exploit kit that was disclosed earlier in March 2026. Coruna uses 23 exploits across five chains to target older iOS versions (13 through 17.2.1), while DarkSword focuses on modern iOS 18.x releases.
The shared infrastructure strongly suggests that both exploit kits are either developed by the same entity or sold through the same marketplace. Together, Coruna and DarkSword provide coverage across nearly every iOS version released in the past three years, an extraordinarily broad attack surface for any single threat actor to maintain.
The Scale of Exposure
The numbers are staggering. Apple has approximately 1.56 billion active iPhone users worldwide. Researchers at iVerify estimate that roughly 14.2% of iOS users were running vulnerable versions (18.4 through 18.7) at the time of discovery, putting the number of potentially vulnerable devices between 220 and 270 million.
Not all of these devices were targeted. Watering hole attacks are inherently selective because they only compromise users who visit specific websites. But the potential blast radius is enormous, and any organization with personnel who might visit Ukrainian news sites, government portals, or the other compromised domains should treat this as a credible exposure.
Apple's Response
Apple has patched all six vulnerabilities exploited by DarkSword across two updates:
| Update | Date | Vulnerabilities Addressed |
|---|---|---|
| iOS 18.7.6 | March 2026 | CVE-2025-31277, CVE-2025-14174, CVE-2025-43510, CVE-2025-43520 |
| iOS 26.3.1 | March 2026 | CVE-2025-43529, CVE-2026-20700 (PAC bypass in dyld) |
Users should update to iOS 26.3.1 or iOS 18.7.6 immediately. Both updates fully close the attack chain.
Detection and Response
Check If Your Device Is Vulnerable
Settings → General → About → iOS Version
Vulnerable: iOS 18.4, 18.4.1, 18.5, 18.5.1, 18.6, 18.6.1, 18.6.2, 18.7, 18.7.1, 18.7.2
Safe: iOS 18.7.3+, iOS 18.7.6, iOS 26.2+, iOS 26.3.1
Enable Lockdown Mode (High-Risk Users)
If you are a journalist, government official, activist, military personnel, or anyone who might be a target of state-sponsored surveillance, enable Apple's Lockdown Mode:
Settings → Privacy & Security → Lockdown Mode → Turn On Lockdown Mode
Lockdown Mode significantly reduces the attack surface by disabling JIT compilation in Safari (which is exactly how DarkSword's initial exploit works), blocking most message attachment types, and restricting other features frequently targeted by exploits.
Organizational Detection (MDM / SIEM)
// Detect devices running vulnerable iOS versions in your fleet
IntuneDevices
| where OSVersion startswith "18.4" or OSVersion startswith "18.5"
or OSVersion startswith "18.6" or OSVersion startswith "18.7"
| where Platform == "iOS"
| project DeviceName, UserPrincipalName, OSVersion, LastSync, ComplianceState
| order by LastSync desc
Network Indicators
While DarkSword's infrastructure rotates frequently, organizations should monitor for:
- Unusual outbound data transfers from iOS devices (the hit-and-run exfiltration can move significant data in a short window)
- Connections to known Coruna/DarkSword C2 infrastructure (check Google TAG's published IOC feeds)
- Any iOS device that has visited compromised Ukrainian domains on your DNS or proxy logs
Post-Compromise Response
Because DarkSword self-destructs after exfiltration, traditional device forensics may not find artifacts. If you believe a device was compromised:
Assume Compromised:
- Rotate all passwords accessible from the device
- Revoke all active sessions for accounts signed in on the device
- Transfer cryptocurrency to new wallets generated on a clean device
- Report the incident to your organization's security team
- Enable Lockdown Mode on the replacement device
- Update to the latest iOS version before restoring any backup
Why This Matters
DarkSword represents several alarming trends converging at once.
The exploit market is thriving. DarkSword and Coruna together cover iOS 13 through 18.7, meaning nearly every iPhone sold in the past five years has been targetable at some point. This level of coverage requires sustained investment in vulnerability research and exploit development, funded either by state intelligence budgets or commercial surveillance revenue.
Watering holes are back. For years, the security community focused on phishing as the primary delivery mechanism for mobile exploits. DarkSword demonstrates that watering holes remain devastatingly effective, particularly in conflict zones where target populations predictably visit specific websites. There is no user error involved, and no amount of security awareness training prevents this attack.
Self-destructing spyware defeats forensics. The hit-and-run model means that by the time a victim suspects compromise, the evidence is gone. Traditional mobile forensic tools look for persistent artifacts. DarkSword leaves none. This creates a detection gap that current security tooling is not designed to address.
The line between espionage and crime is blurring. UNC6353 steals intelligence for Russian state objectives and cryptocurrency for financial gain using the same exploit chain. Commercial surveillance vendors sell the same capability to authoritarian governments for targeting dissidents and journalists.
Key Takeaways
- DarkSword is a zero-click iOS exploit chain used in active espionage operations. Visiting a compromised website with a vulnerable iPhone is all it takes for full device compromise. No click, no download, no interaction required.
- 220+ million iPhones were in the blast radius. Any device running iOS 18.4 through 18.7 was vulnerable until Apple patched the six chained CVEs in March 2026.
- UNC6353, a Russia-linked group, deployed DarkSword through Ukrainian watering holes. Compromised news and government websites were used to silently infect iPhones of Ukrainian targets.
- The spyware self-destructs after stealing everything. GHOSTBLADE extracts messages, passwords, crypto wallets, health data, photos, and iCloud files within minutes, then erases itself. No forensic trace survives a reboot.
- Commercial surveillance vendors are also using DarkSword. Targets in Saudi Arabia, Turkey, and Malaysia have been hit by a separate operator (UNC6748), confirming the exploit is available on the commercial spyware market.
- Update your iPhone immediately. iOS 26.3.1 or iOS 18.7.6 closes every vulnerability in the chain. Enable Lockdown Mode if you are at elevated risk.
Apple has patched all vulnerabilities exploited by DarkSword. Google, Lookout, and iVerify coordinated the disclosure with Apple and relevant CERT teams. Organizations with personnel in conflict zones or those who may have visited compromised Ukrainian domains should conduct an immediate review of device iOS versions across their fleet and enforce updates through MDM policy.
