> GTIG has identified several different users of the DarkSword exploit chain dating back to November 2025. In addition to the case studies on DarkSword usage documented in this blog post, we assess it is likely that other commercial surveillance vendors or threat actors may also be using DarkSword.
> Google Threat Intelligence Group (GTIG) has identified a new iOS full-chain exploit that leveraged multiple zero-day vulnerabilities to fully compromise devices. Based on toolmarks in recovered payloads, we believe the exploit chain to be called DarkSword. Since at least November 2025, GTIG has observed multiple commercial surveillance vendors and suspected state-sponsored actors utilizing DarkSword in distinct campaigns. These threat actors have deployed the exploit chain against targets in Saudi Arabia, Turkey, Malaysia, and Ukraine.
> DarkSword supports iOS versions 18.4 through 18.7 and utilizes six different vulnerabilities to deploy final-stage payloads. GTIG has identified three distinct malware families deployed following a successful DarkSword compromise: GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER. The proliferation of this single exploit chain across disparate threat actors mirrors the previously discovered Coruna iOS exploit kit. Notably, UNC6353, a suspected Russian espionage group previously observed using Coruna, has recently incorporated DarkSword into their watering hole campaigns.
There are not 8 major versions between iOS 18 and iOS 26. Apple skipped the monotonously increasing version numbering system since iOS 1 during WDDC 2025 to adopt a year suffix based versioning system.
I wish I had a better sense of how these zero-click vulnerabilities work so I could get a sense of how to protect myself from them (you know, without giving in to Liquid Glass). Can they be blocked by an ad blocker? Are they blocked by any extant ad blockers? What about “Lockdown Mode”?
It's a watering hole attack.
At any point your iphone sends an http request to a compromised site, by add, link, embedded, etc. your device will be exploited.
there really isn't a way to permanently defeat this.
We are about to see an explosion of novel attack types utilizing this exploit as their basis, you realistically cannot defend yourself against these without either updating or no longer using an iphone.
Apple used to have a really good security record, it's mind boggling they blew it all up just to force Liquid Glass on users.
For those not in the loop, Apple used to provide security patches for supported older iOS versions. They changed a lot of behavior around the release of Liquid Glass (iOS 26, MacOS Tahoe). Starting with iOS 18.7.3, they only release patch versions for the iPhone XS and XR. They've repeated this, through to 18.7.6 now.
Apple should stop doing security by obscurity in the first place. People have no way finding out whether their phones have been compromised. Lockdown mode is just a cope mechanism for phones likely already compromised and there is no guarantee lockdown mode cannot be bypassed.
Apple hardware is inherently insecure and it is bizarre that Apple keeps burying their head in the sand.
Yes, but you can use anti-virus software on other platforms which can detect many threats.
Also just because others are not great, doesn't excuse Apple from being very much negligent.
I know many people who bought Apple products specifically because of the myth that they are secure. They were in fact mis sold. There is common thinking that no anti virus software = no viruses = secure among non technical crowd.
>We also identified additional code added when the actor attempts to infect a user using Chrome, where the x-safari-https protocol handler is used to open the page in Safari (Figure 4). This suggests that UNC6748 didn't have an exploit chain for Chrome at the time of this activity.
Thanks Apple for allowing the overriding of the user's default browser.
All these exploits and we still can't get proper jailbreaks on new iOS versions :( I moved away from Android years ago in the interest of digital privacy so it's just wonderful to hear security isn't as tight as I'd hoped haha.. Then again I guess those like myself staying on the bleeding edge version-wise aren't affected.
I was literally just attending a course on "innovation" and the topic of Apple vs Android was covered. Interestingly enough, a majority of students commenting cited iOS "security" as a core value proposition. As an Android user, however, I know there are a lot of CVEs in volume but in terms of severity, when an iOS issue happens it appears to generally be much more severe.
Oh, I was confused why the article was so short and chalked it up to it being some developing story. Turns out there's a "You’ve read your last free article." heading that hides the rest but it's not very obvious that there's an article hiding.
I'm keeping it there to remind me to stay defiant against the shittier UI. I'll wait until they can put it on a user switch or create a more readable option for older users. Which will probably be 'never'.
I thought the same thing but updated couple weeks back and actually really really enjoy the liquid glass. I don't recall what it was about the release that made me think I'd hate it, but I've half fallen in love with it, I was just thinking yesterday I wonder what all the fuss was about.
I believe it's changed a lot since it was initially debut'd via the betas.
And there was that Supabase post mocking it, where they made the whole UI glass, and that biased me a bit ha
I don’t like it on the iPhone, but it’s more a “sigh, I’ll live with it” downgrade than a catastrophic one (at least once you go into the Safari settings and turn off the huge useless address bar by putting it in compact mode). It’s on the Mac where it’s truly a shitshow.
>If it's really as bad as all that, they'll patch existing older releases.
They have patched existing releases of iOS 18... but then they artificially restricted those patches only to a couple of phone models that don't support iOS 26. So if you're on a vaguely modern iDevice and are still on 18 because you don't want the new UI and other fuckups you are not allowed to install the patched 18. It'd be one thing if you had a phone that simply never supported iOS 18 at all, or if Apple wasn't patching iOS 18 at all for anyone, but that they've gone to the effort to fix it but then also used it as another lever for force upgrades is really sucky.
No. Apple already released the patch in February, and Apple chose not not patch older releases.
Apple of 2026 is not the same Apple of 2025. The people at Apple have held back iOS 18.7.3, iOS 18.7.4, iOS 18.7.5, or iOS 18.7.6 for most iPhones that support iOS 18.
These are dozens of CVEs patched in these updates, including numerous exploits as bad or worse than the one described in this one. (Article is paywalled so I couldn't read it, so I am getting the details from Google's post https://cloud.google.com/blog/topics/threat-intelligence/dar...
Unfortunately, in iOS 26, there is a new bug where Lockdown Mode breaks call recording, which is something I rely on. Something to weigh for anyone on iOS 18 who is considering installing iOS 26.
The interesting angle here is what this means for passes and
credentials stored in Apple Wallet. If device compromise is
this accessible, the assumption that Wallet passes are isolated
from the rest of the device needs more scrutiny. Apple's security
model relies heavily on the secure enclave but a tool like this
changes the threat surface significantly.
This is always the threat with walled garden style security. When you couple applications so tightly in an intrinsic trust network, on the basis that no external attacker can gain access, then the internal security is neglected and it only takes the weakest link.
https://cloud.google.com/blog/topics/threat-intelligence/dar...
Relevant forward:
> GTIG has identified several different users of the DarkSword exploit chain dating back to November 2025. In addition to the case studies on DarkSword usage documented in this blog post, we assess it is likely that other commercial surveillance vendors or threat actors may also be using DarkSword.
> Google Threat Intelligence Group (GTIG) has identified a new iOS full-chain exploit that leveraged multiple zero-day vulnerabilities to fully compromise devices. Based on toolmarks in recovered payloads, we believe the exploit chain to be called DarkSword. Since at least November 2025, GTIG has observed multiple commercial surveillance vendors and suspected state-sponsored actors utilizing DarkSword in distinct campaigns. These threat actors have deployed the exploit chain against targets in Saudi Arabia, Turkey, Malaysia, and Ukraine.
> DarkSword supports iOS versions 18.4 through 18.7 and utilizes six different vulnerabilities to deploy final-stage payloads. GTIG has identified three distinct malware families deployed following a successful DarkSword compromise: GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER. The proliferation of this single exploit chain across disparate threat actors mirrors the previously discovered Coruna iOS exploit kit. Notably, UNC6353, a suspected Russian espionage group previously observed using Coruna, has recently incorporated DarkSword into their watering hole campaigns.
iOS 17, then iOS 18, then iOS 26, then iOS 27.
You're not the only party confused.
Complete full chain 1-click exploit from Safari to complete device take over exfiltrating personal data, passwords, and crypto wallets.
https://www.lookout.com/threat-intelligence/article/darkswor...
https://iverify.io/blog/darksword-ios-exploit-kit-explained
https://cloud.google.com/blog/topics/threat-intelligence/dar...
0-click example: receive an MMS with a malformed image that exploits a bug in decoding
Why are we about to see an explosion?
For those not in the loop, Apple used to provide security patches for supported older iOS versions. They changed a lot of behavior around the release of Liquid Glass (iOS 26, MacOS Tahoe). Starting with iOS 18.7.3, they only release patch versions for the iPhone XS and XR. They've repeated this, through to 18.7.6 now.
So much goodwill and trust, obliterated.
The new "security upgrade available" will (I bet) be "to 26".
Or don’t want to maintain two different security architectures. Apple has always been visually opinionated.
Or don’t want to maintain two different security architectures.
Apple hardware is inherently insecure and it is bizarre that Apple keeps burying their head in the sand.
More than non-obscure phones, laptops, desktops… washing machines, robot vacuums, doorbells, you name it
Also just because others are not great, doesn't excuse Apple from being very much negligent.
I know many people who bought Apple products specifically because of the myth that they are secure. They were in fact mis sold. There is common thinking that no anti virus software = no viruses = secure among non technical crowd.
Thanks Apple for allowing the overriding of the user's default browser.
(a)? This must be really bad.
I wonder if this is supposed to be > iOS 18 or really just version 18?
> DarkSword supports iOS versions 18.4 through 18.7
https://cloud.google.com/blog/topics/threat-intelligence/dar...
The source exploits continued to be patched with all of them patched in iOS 26.3
Settings > Privacy & Security > Background Security Improvements
Description: A cross-origin issue in the Navigation API was addressed with improved input validation.
WebKit Bugzilla: 306050
CVE-2026-20643: Thomas Espach
They have patched existing releases of iOS 18... but then they artificially restricted those patches only to a couple of phone models that don't support iOS 26. So if you're on a vaguely modern iDevice and are still on 18 because you don't want the new UI and other fuckups you are not allowed to install the patched 18. It'd be one thing if you had a phone that simply never supported iOS 18 at all, or if Apple wasn't patching iOS 18 at all for anyone, but that they've gone to the effort to fix it but then also used it as another lever for force upgrades is really sucky.
Is it “you are not allowed,” or Cupertino isn’t going to bother developing and testing?
Apple of 2026 is not the same Apple of 2025. The people at Apple have held back iOS 18.7.3, iOS 18.7.4, iOS 18.7.5, or iOS 18.7.6 for most iPhones that support iOS 18.
These are dozens of CVEs patched in these updates, including numerous exploits as bad or worse than the one described in this one. (Article is paywalled so I couldn't read it, so I am getting the details from Google's post https://cloud.google.com/blog/topics/threat-intelligence/dar...
- CVE-2025-43541, CVE-2025-43501 WebKit zero day https://www.theregister.com/2025/12/15/apple_follows_google_... (iOS 18.7.3)
- CVE-2025-43529 and CVE-2025-14174, mentioned in the article (iOS 18.7.3)
- The dyld exploit fixed in iOS 18.7.5, and the exploit in this article https://www.theregister.com/2026/02/12/apple_ios_263/ (iOS 18.7.5)
Unfortunately, in iOS 26, there is a new bug where Lockdown Mode breaks call recording, which is something I rely on. Something to weigh for anyone on iOS 18 who is considering installing iOS 26.