Google Threat Intelligence Group (GTIG) has uncovered "DarkSword," a sophisticated iOS full-chain exploit targeting versions 18.4 through 18.7. This exploit chain, utilized by multiple commercial surveillance vendors and state-sponsored groups like UNC6748 and PARS Defense, leverages six distinct vulnerabilities, including two zero-days in JavaScriptCore and a PAC bypass in dyld. The campaigns have been observed targeting users in Saudi Arabia, Turkey, Malaysia, and Ukraine through watering hole attacks and decoy websites masquerading as legitimate services like Snapchat.
The DarkSword chain is notable for its use of pure JavaScript across all stages, which allows it to bypass advanced iOS mitigations like SPTM and PPL without needing unsigned binary execution. Successful exploitation leads to the deployment of modular backdoors such as GHOSTKNIFE, GHOSTSABER, or the GHOSTBLADE dataminer. Apple has since patched the associated vulnerabilities in iOS 26.3 and earlier updates, emphasizing the critical need for users to maintain up-to-date device software or utilize Lockdown Mode for enhanced protection against high-end spyware.
Top comments (0)