Unpacking DarkSword: Google GTIG Details iOS Full-Chain Exploit & G

Unpacking DarkSword: Google GTIG Details iOS Full-Chain Exploit & Global Campaigns

DarkSword is a sophisticated iOS full-chain exploit kit, written entirely in JavaScript, that Google Threat Intelligence Group (GTIG) identified being leveraged by multiple threat actors, including commercial surveillance vendors and suspected state-sponsored groups, since at least November 2025. This exploit chain targets iPhones running iOS versions 18.4 through 18.7, employing a series of six distinct vulnerabilities to achieve arbitrary code execution, sandbox escape, and ultimately kernel privilege escalation, culminating in the exfiltration of sensitive user data with a "hit-and-run" approach. The discovery of DarkSword follows closely on the heels of the Coruna exploit kit, highlighting a concerning trend in the proliferation of advanced iOS exploitation capabilities among a diverse set of adversaries.

Initial Access and Remote Code Execution (RCE)

The DarkSword attack chain begins with a drive-by compromise via a watering hole attack. A user, targeted through a malicious or compromised website (e.g., a fake Snapchat-themed site or a compromised government portal in Ukraine), visits a web page that embeds a malicious iframe containing JavaScript. This JavaScript acts as the initial loader, deploying subsequent stages of the exploit. For remote code execution, DarkSword leverages vulnerabilities within WebKit's JavaScriptCore engine. GTIG observed two primary vulnerabilities utilized for RCE, dependent on the target iOS version:

• CVE-2025-31277: A JavaScriptCore JIT optimization/type confusion bug. This vulnerability was exploited on devices running iOS versions prior to 18.6 and was subsequently patched by Apple in iOS 18.6.
• CVE-2025-43529: A garbage collection bug in the Data Flow Graph (DFG) JIT layer of JavaScriptCore. This flaw was exploited on devices running iOS 18.6-18.7 and was patched by Apple in iOS 18.7.3 and 26.2 after being reported by GTIG.

Both RCE exploits are designed to establish arbitrary read/write primitives within the WebContent process. These primitives are crucial for manipulating memory structures and preparing for the next stage of the attack. A key component immediately chained with these WebKit vulnerabilities is CVE-2026-20700, a user-mode Pointer Authentication Code (PAC) bypass in dyld. This PAC bypass is essential for executing arbitrary code and overcoming hardware-based memory protections, enabling the subsequent exploit stages to proceed unhindered.

// Example snippet (conceptual, not actual exploit code)
// Exploiting CVE-2025-31277 or CVE-2025-43529 for RCE
function trigger_jit_bug() {
    // ... crafted JavaScript to trigger type confusion or GC bug ...
    // ... leading to arbitrary read/write primitive ...
}

function bypass_pac_cve_2026_20700() {
    // ... leverage arbitrary write to overwrite function pointers
    //     or return addresses, bypassing PAC using CVE-2026-20700 ...
    // ... gain arbitrary code execution ...
}

if (iOS_version < "18.6") {
    trigger_jit_bug_31277();
} else if (iOS_version >= "18.6" && iOS_version <= "18.7") {
    trigger_jit_bug_43529();
}
bypass_pac_cve_2026_20700();

Sandbox Escape Mechanisms

After achieving RCE within the WebContent sandbox, DarkSword employs a two-stage sandbox escape process to elevate privileges and access more sensitive areas of the device. This is a critical phase, as Safari implements multiple layers of sandboxing to isolate untrusted web content.

1. WebContent to GPU Process Escape: The initial sandbox escape pivots from the WebContent sandbox into the GPU process. This stage utilizes CVE-2025-14174, an out-of-bounds write vulnerability in ANGLE, combined with the previously achieved PAC bypass. By exploiting this vulnerability, DarkSword gains a foothold within the GPU process, which has a less restrictive sandbox profile than the WebContent process.
2. GPU Process to mediaplaybackd Daemon: The second stage of the sandbox escape leverages WebGPU to inject into the mediaplaybackd system daemon. This daemon, responsible for media playback functions, operates with significantly higher privileges than a typical browser process. This pivot is achieved by exploiting further vulnerabilities, including CVE-2025-43510 and CVE-2025-43520, both kernel flaws. CVE-2025-43510 is a copy-on-write bug that provides arbitrary memory read/write primitives within the mediaplaybackd daemon, which are then leveraged to exploit CVE-2025-43520 for kernel privilege escalation. These kernel vulnerabilities grant the attacker full kernel privileges, effectively taking complete control of the device.

The sophistication of this multi-stage sandbox escape underscores the persistent threat posed by zero-day exploits. Organizations must continuously monitor their attack surface for exposed services and potential entry points, a task facilitated by platforms like Secably's External Attack Surface Management (EASM) capabilities. Proactive vulnerability scanning and understanding how adversaries enumerate potential targets, perhaps with tools like Zondex for internet-wide reconnaissance, are paramount to mitigating such complex threats.

Kernel Privilege Escalation and Payload Deployment

Once DarkSword achieves execution within mediaplaybackd with arbitrary kernel read/write capabilities, it proceeds to modify sandbox restrictions and gain access to restricted parts of the filesystem. The final stage involves deploying an orchestrator JavaScript payload that coordinates several smaller malicious components. GTIG identified three distinct malware families deployed after a successful DarkSword compromise: GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER.

The primary objective of these payloads is extensive information theft. DarkSword is designed for a "hit-and-run" approach, collecting and exfiltrating a vast array of sensitive data within minutes, then cleaning up its presence to evade detection. The exfiltrated data includes, but is not limited to:

• Credentials (passwords, encryption keys)
• Cryptocurrency wallet data (e.g., Coinbase, Binance, Kraken, Metamask, Ledger, Trezor)
• SMS/iMessage, WhatsApp, and Telegram messages
• Contacts, call history, and location history
• Browser data (cookies, history, saved passwords)
• Installed applications and Wi-Fi data/passwords
• Apple Health data, calendar, and notes
• iCloud content and Find My Phone settings

The collected data is temporarily stored on the device before being sent to a remote command and control (C2) server controlled by the attackers. This exfiltration often utilizes a custom binary protocol over HTTP, encrypted with ECDH and AES to obscure traffic. The rapid data exfiltration and subsequent cleanup make forensic analysis challenging, minimizing the dwell time of the adversary on the compromised device.

Affected Versions and Mitigations

DarkSword specifically targeted iPhones running iOS versions 18.4 through 18.7. Apple has released patches for all the vulnerabilities leveraged by DarkSword, with the final patches being included in iOS 26.3. The patching timeline for the key vulnerabilities is summarized below:

Users are strongly urged to update their devices to the latest available iOS versions (iOS 26.3 or newer) to mitigate the threat posed by DarkSword. For devices that cannot be updated to the latest OS, enabling Apple's Lockdown Mode is recommended for enhanced security, as it restricts certain functionalities that could be exploited.

The widespread impact of such exploits underscores the importance of prompt patching and robust security hygiene. As discussed in "/blog/march-2026-patch-tuesday-actively-exploited-zero-day-cve-", actively exploited zero-days require immediate attention. Organizations should also consider starting a free EASM scan to identify and address potential entry points into their mobile ecosystems.