DarkSword is a six-vulnerability iOS exploit chain that silently compromises an iPhone the moment a vulnerable device loads an infected page — no tap, no download, no warning. Lookout Threat Labs identified at least three separate hacking groups deploying it against real targets; the full exploit code leaked to GitHub in March 2026. If you're running iOS 18.4 through 18.7 and haven't updated, your device is exposed now.
What you need to know:
- DarkSword chains six CVEs in JavaScript to take root-level control of an iPhone through Safari — no interaction beyond loading the page
- The payload, GHOSTBLADE, steals messages, photos, credentials, location data, and cryptocurrency wallet access, then attempts to delete itself
- Three separate hacking groups deployed DarkSword before the complete exploit code was published to GitHub on March 23, 2026, confirmed authentic by independent researchers
- iOS 26 is fully patched; Apple also released iOS 18.7.7 on April 1, 2026 for users remaining on iOS 18 — update to whichever applies to your device
- Lockdown Mode stops DarkSword on vulnerable iOS versions, at the cost of significant app and website functionality
From Intelligence Agency Tool to GitHub Download
The iOS zero-day market has always had a trickle-down problem. Exploit chains with iOS remote code execution capability routinely sell for $1 million or more on the private market — buyers are primarily intelligence agencies running targeted operations against journalists, dissidents, and foreign officials. At that price, you're not mass-targeting iPhone owners; you're burning expensive capabilities on specific, high-value individuals.
The secondary market is different. Commercial surveillance vendors — companies that buy or license government-grade exploits and resell access to state clients — don't apply the same operational discipline. PARS Defense, a Turkish commercial surveillance vendor, is one of three groups identified using DarkSword by Google's Threat Intelligence Group. Their clients run broader campaigns. Broader targeting means sloppier execution, which means exposure.
DarkSword's GitHub publication is the end of that chain. Apple's lock screen security alerts — behavior the company has not deployed before for active iOS exploits — are the company acknowledging something has changed structurally, not just patching one incident.
What DarkSword Actually Does
DarkSword is written entirely in JavaScript and runs inside Safari. That's unusual for a government-grade iOS exploit chain — most operate at a lower level. Running in a high-level interpreted environment means the chain can bypass iOS mitigations including Page Protection Layer (PPL) and Secure Page Table Monitor (SPTM), while remaining portable enough that three completely different groups picked it up and deployed it.
The kill chain runs in stages. A JavaScriptCore JIT vulnerability in Safari's renderer process — CVE-2025-31277 or CVE-2025-43529 depending on the target's iOS version — achieves initial remote code execution via CVE-2026-20700. Two GPU process vulnerabilities (CVE-2025-14174 and CVE-2025-43510) then break the exploit out of Apple's sandboxed environment. A final privilege escalation via CVE-2025-43520 achieves root access. All six exploits chain together automatically, triggered by a page load. There is no prompt, no popup, no download.
UNC6353, the Russia-linked group, delivered the chain through a watering hole attack: they compromised multiple Ukrainian news and government websites, injected the malicious JavaScript, and waited. Visitors on vulnerable iOS devices were compromised the moment the page finished loading.
Once root access is established, the GHOSTBLADE infostealer deploys. It extracts iMessage conversations, Telegram and WhatsApp data, email, call history, contacts, browser history, photos, and location data. It also specifically targets a long list of cryptocurrency wallet apps: Coinbase, Binance, Kraken, KuCoin, OKX, MetaMask, Exodus, Phantom, Ledger, and Trezor, among others. That breadth of crypto targeting is unusual for a state espionage actor — Lookout researchers assess that UNC6353 operates partly as a financially motivated group, running cybercrime operations alongside their government-adjacent work. After exfiltration, GHOSTBLADE attempts to delete its own traces. UNC6353's implementation missed crash logs and browsing history entirely, which is part of how analysts confirmed what had run on affected devices.
Why the Russian Group Got Caught — and How DarkSword Was Found
Lookout Threat Labs were already investigating Coruna — a separate iOS exploit kit targeting iOS 13 through 17.2.1 — when a detail stood out. A new domain had been registered on the exact same day as a known Coruna-linked domain. Several of its sub-domains pointed to the same IP addresses. That shared infrastructure is what led researchers to DarkSword.
The new domain was hosting JavaScript files with obvious names and no obfuscation. The code was clean, well-commented, and peppered with emojis — a pattern consistent with AI-assisted development. The name "DarkSword" appeared explicitly in the source multiple times. When Lookout researchers loaded the exploit against test iPhones, the phones crashed. Repeatedly. They had to fix UNC6353's own implementation bugs locally to get the chain to run at all.
The picture that emerges: UNC6353 purchased a sophisticated, commercial-grade exploit kit and lacked the technical depth to deploy it. The other two groups using DarkSword — PARS Defense and UNC6748 — were professional enough to avoid exposing their infrastructure. UNC6353's sloppiness is the reason DarkSword is public knowledge at all.
One practical note worth filing here: rebooting your iPhone regularly cuts off in-memory implants that don't survive a restart. GHOSTBLADE's cleanup routine runs after exfiltration, but a reboot before that window closes denies the implant additional time to operate. It's not a fix for DarkSword specifically — it's a general defense that matters more as mobile implants get more common.
The GitHub Leak and What Came After
Lookout and Google's Threat Intelligence Group declined to publish the full DarkSword code after discovery. The reasoning was direct: the chain is simple to deploy and the exposure would be widespread. TechCrunch reported that an unidentified person published the complete exploit to GitHub three days later, on March 23, 2026. Security researchers confirmed on X that the published code is authentic.
The effect was fast. Additional threat actors — including TA446 — were observed deploying the leaked version in spear-phishing campaigns within days. A chain that required buying access from a commercial surveillance vendor now required a GitHub account.
Who Is Vulnerable, and What to Do
DarkSword targets iOS 18.4 through 18.7. The six CVEs are fully patched in iOS 26, with most addressed in earlier iOS 26 releases and all confirmed remediated in iOS 26.3. Apple also released iOS 18.7.7 on April 1, 2026 — a rare security-only update for users who have not upgraded to iOS 26. Devices that cannot run iOS 26 at all, such as the iPhone XS and XR, received their own separate patch.
Approximately 25% of iPhone and iPad users are still running iOS 18 or earlier, based on Apple's own figures. With roughly 2.5 billion active Apple devices globally, that's hundreds of millions of potentially exposed devices. Unlike targeted spyware campaigns, DarkSword doesn't require the attacker to know who you are — any visitor to an infected site on a vulnerable iOS version is a candidate.
If your device supports iOS 26: update to it. Done.
If you're staying on iOS 18: update to iOS 18.7.7. Apple released it specifically for this situation.
If you cannot or will not update: enable Lockdown Mode. It blocks DarkSword even on unpatched iOS versions. The tradeoffs are significant — certain apps fail, websites stop loading correctly, font rendering breaks. Settings → Privacy & Security → Lockdown Mode. It's a real restriction of normal iPhone functionality, and it's worth knowing about before you need it.
Beyond the immediate update, there's a broader iOS security baseline that most iPhone users haven't fully configured. The iPhone Privacy Setup Guide covers the settings Apple doesn't surface prominently, many of which limit what an attacker can access even if they do gain entry. And how you lock your device matters — a strong passcode is the last line of defense if an implant exfiltrates your unlock credentials.
Apple's lock screen alert reads: the company "is aware of attacks targeting out-of-date iOS software, including the version on your iPhone." That wording confirms active, ongoing exploitation — not theoretical risk. If you received that notification and haven't updated yet, this is what it was referring to.
The Bigger Issue
DarkSword isn't a one-off. It's the most recent example of a pattern researchers have documented repeatedly: sophisticated iOS exploits that start in targeted government operations eventually reach groups with no operational discipline about who they target. A chain that would have cost hundreds of thousands of dollars on the private exploit market three months ago is now a GitHub repository with a confirmed-authentic tag from the security community.
Apple's lock screen alerts are unusual precisely because the company rarely acknowledges active exploitation publicly and directly. The fact that they pushed notifications here signals that the exposure is real, the affected population is large, and the barrier to exploitation has dropped below what quiet patching can handle. Update your phone.
Your passwords are also at risk. GHOSTBLADE specifically targets saved credentials. If you use reused passwords across sites, one compromised iPhone means one compromised everything. 1Password generates and stores unique passwords per account — so a stolen credential from one site doesn't cascade. Worth setting up regardless of DarkSword.
