Signal
DarkSword iOS exploit kit used by state-sponsored hackers and spyware vendors
Evidence first: scan the strongest sources, then decide whether to go deeper.
Published 2026-03-18 14:00 UTCUpdated 2026-03-18 21:39 UTC
redditrss
cveexploitmalwarethreat_actorincident_responsesecurity_tooling
Source links open
Source links and full evidence are open here. Archive history, compare-over-time, alerts, exports, API, integrations, and workflow are paid.
No card needed for the free brief.
Evidence trail (top sources)
top sources (4 domains)domains are deduped. counts indicate coverage, not truth.4 top sources shown
Overview
A new iOS exploit kit named DarkSword has been identified targeting iOS versions 18.4 through 18.7 by leveraging six vulnerabilities to fully compromise devices.
Entities
LookoutGoogle Threat Intelligence GroupiVerifyDarkSwordCorunaGHOSTBLADEGHOSTKNIFEGHOSTSABER
Score total
2.12
Momentum 24h
7
Posts
7
Origins
7
Source types
2
Duplicate ratio
0%
Why now
- DarkSword has been actively used since late 2025 in multiple global campaigns, including ongoing conflicts like Ukraine.
- Recent research reveals its wide adoption and links to repurposed government-developed exploits.
- The emergence of DarkSword shortly after Coruna signals increasing availability of advanced iOS exploit kits.
Why it matters
- DarkSword enables full device compromise of widely used iOS versions, risking sensitive personal and financial data.
- Its use by state-sponsored and commercial spyware actors indicates a high threat level and broad targeting scope.
- The exploit’s sophistication and AI customization highlight evolving cyber threats and secondary exploit markets.
LLM analysis
Topic mix: lowPromo risk: lowSource quality: high
Recurring claims
- DarkSword exploits six iOS vulnerabilities to fully compromise devices running iOS 18.4 to 18.7.
- DarkSword is used by multiple state-sponsored groups and commercial spyware vendors in campaigns targeting countries including Ukraine, Saudi Arabia, Turkey, and Malaysia.
- DarkSword deploys malware families GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER after successful exploitation.
- Suspected Russian espionage group UNC6353 has incorporated DarkSword into watering hole campaigns.
How sources frame it
- SecurityWeek: neutral
- Google Threat Intelligence Group: neutral
- CyberScoop: neutral
This briefing consolidates recent findings on the DarkSword iOS exploit kit, highlighting its multi-vulnerability chain, state-sponsored use, and evolving threat landscape.
All evidence
All evidence
State snoops and spyware vendors planting info-stealing malware on iPhones, Google warns
The Register Security · go.theregister.com · 2026-03-18 21:39 UTC
Russia-linked hackers use advanced iPhone exploit to target Ukrainians
The Record (Recorded Future News) · therecord.media · 2026-03-18 19:42 UTC
Inside DarkSword: A New iOS Exploit Kit Del
blueteamsec · iverify.io · 2026-03-18 19:28 UTC
‘DarkSword’ iOS Exploit Kit Used by State-Sponsored Hackers, Spyware Vendors
SecurityWeek · securityweek.com · 2026-03-18 15:30 UTC
New “Darksword” iOS exploit used in infostealer attack on iPhones
bleepingcomputer_all · bleepingcomputer.com · 2026-03-18 14:02 UTC
Second iOS exploit kit emerges from suspected Russian hackers using possible U.S. government-developed tools
CyberScoop · cyberscoop.com · 2026-03-18 14:00 UTC
Show filters & breakdown
Posts loaded: 0Publishers: 6Origin domains: 6Duplicates: -
Showing 6 / 0
Top publishers (this list)
- The Register Security (1)
- The Record (Recorded Future News) (1)
- blueteamsec (1)
- SecurityWeek (1)
- bleepingcomputer_all (1)
- CyberScoop (1)
Top origin domains (this list)
- go.theregister.com (1)
- therecord.media (1)
- iverify.io (1)
- securityweek.com (1)
- bleepingcomputer.com (1)
- cyberscoop.com (1)