Google Threat Intelligence Group (GTIG) has uncovered "DarkSword," a sophisticated iOS exploit chain leveraging six vulnerabilities to compromise devices running iOS 18.4 through 18.7. This toolset has been adopted by various threat actors, including commercial surveillance vendors like PARS Defense and state-sponsored groups like UNC6748 and UNC6353. The exploit chain has been used in targeted campaigns across Saudi Arabia, Turkey, Malaysia, and Ukraine, deploying specialized backdoors known as GHOSTKNIFE, GHOSTSABER, and GHOSTBLADE.
Unlike many previous exploit kits, DarkSword utilizes pure JavaScript for all stages, effectively bypassing Apple's advanced security mitigations like SPTM and PPL without needing binary execution. The chain includes a series of RCE exploits in JavaScriptCore, sandbox escapes via the GPU process and mediaplaybackd, and a kernel-mode local privilege escalation. GTIG coordinated with Apple and industry partners to patch these vulnerabilities, urging users to update to the latest iOS versions or use Lockdown Mode.
Top comments (0)