Cybersecurity Community Alarmed by the Spread of DarkSword iOS Exploit Chain
In a concerning development for Apple device users, security researchers have confirmed that the sophisticated iOS exploit chain known as DarkSword is now accessible beyond its original threat actor groups. This revelation raises an urgent warning for millions of unpatched Apple devices globally. The exploit has gained notoriety for its potential to compromise the security of personal information.
Recently, security researcher @matteyeux reported successfully achieving kernel read/write access on an iPad mini 6th generation running iOS version 18.6.2, utilizing the in-the-wild DarkSword exploit. This breakthrough not only validates the exploit’s effectiveness but also underscores the immediate risk it poses to users of Apple devices who have not yet updated their systems.
The Attack Methodology
The DarkSword exploit kit represents a complex attack framework and infostealer primarily coded in JavaScript. Typically, the attack cycle begins when an unsuspecting user visits a compromised website containing a malicious iframe. This method is known as a "watering hole attack," where the adversary waits for targets to come to the trap rather than actively pursuing them.
Once the compromised webpage is loaded onto the target device, the exploit is designed to automatically break out of the Safari WebContent sandbox, which normally serves as a protective barrier for users. This initial breach marks the starting point of a finely tuned attack mechanism.
The exploit circumvents critical security measures, such as Trusted Path Read-Only features and Pointer Authentication Codes, by exploiting sensitive internal structures in the dynamic linker (dyld) that reside in writable stack memory. Following this, attackers pivot by leveraging an out-of-bounds write vulnerability present in the ANGLE graphics engine, progressing to the GPU process.
From this point, the exploit zeroes in on the XNU kernel, finding a Copy-On-Write vulnerability within the AppleM2ScalerCSCDriver. By establishing arbitrary memory read/write capabilities, attackers can modify sandbox restrictions and gain access to restricted files and directories.
Background and Attribution
The Google Threat Intelligence Group was among the first to observe DarkSword in active campaigns back in November 2025. The toolkit is primarily associated with UNC6353, a suspected Russian espionage group that had previously utilized the Coruna iOS exploit kit. Their operations appear to have targeted entities in Ukraine, Saudi Arabia, Turkey, and Malaysia.
Operating entirely in memory, DarkSword quickly force-loads scripts designed to deploy final-stage payloads. According to researcher Matteyeux, three distinct malware families—GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER—are employed post-compromise. These payloads are effective in exfiltrating sensitive data, including secure messages, saved passwords, and cryptocurrency wallet information from the infected devices.
The command and control infrastructure is notable for utilizing subdomains created on compromised legitimate websites, such as sqwas.shapelie[.]com, further obscuring the attackers’ operations from law enforcement and cybersecurity personnel.
Implications and Recommendations
The public acknowledgment of DarkSword’s capabilities by independent researchers significantly elevates the threat landscape, prompting a unified call to action among system administrators and security teams. It is critical that all Apple device users upgrade to iOS 26.1 or later, as these versions include important patches addressing the underlying kernel vulnerabilities exploited by DarkSword.
For high-risk individuals and enterprises, enabling Apple’s Lockdown Mode can offer an additional layer of defense against such sophisticated web-based exploit chains. By taking proactive measures, users can significantly mitigate their risk of falling victim to these types of cyber threats.
In summary, the emergence of DarkSword as a publicly accessible toolkit poses a substantial risk to the privacy and security of Apple device users worldwide. Increased vigilance is necessary to safeguard sensitive information against such advanced threats, reinforcing the importance of timely software updates and robust security practices in an ever-evolving digital landscape.