DarkSword: a new iPhone exploit chain used by spies and thieves

Multi-stage JavaScript exploit enables full device compromise via drive-by web visits; patches released March 2026

• Name: DarkSword (exploit chain / kit)
• Timeframe: observed since at least November 2025; public reporting March 2026
• Affected iOS versions: primarily iOS 18.4–18.7 (some payloads/variants targeted subsets); Apple released patches in iOS 18.7.x / 26.3
• Delivery: drive‑by web compromise / waterhole attacks
• Capabilities: full device compromise (kernel privileges), sandbox escape, remote code execution, quick data exfiltration and payload removal
• Actors observed using it: UNC6353, UNC6748, commercial surveillance vendor ties
• Payload families: Ghostblade, Ghostknife, Ghostsaber

How DarkSword works

• Overview: Multi-stage JavaScript exploit chain runs in the browser.
• Stages: Browser RCE → Sandbox escape → Kernel exploit → Payload delivery
• Vulnerabilities used: JavaScriptCore, ANGLE, dyld PAC bypass, iOS kernel bugs
• Loader behavior: Exploit loader uses Web Workers and fingerprinting to select appropriate stages