DarkSword Spyware: Is Your iPhone Watching You?

Far from paranoia, spyware is now a leading conversation in the intelligence community with Google Threat Intelligence Group (GTIG) discovering strains of powerful exploit kits targeting iOS devices, twice in one month.

The new exploit chain, named by threat actors as DarkSword, was deployed to target Saudi Arabia, Turkey, Malaysia and Ukraine. 

“Since November 2025, commercial surveillance vendors and suspected state-sponsored actors have leveraged DarkSword in distinct campaigns,” says Austin Larsen, Principal Threat Analyst at Google Threat Intelligence Group on his LinkedIn.

“By chaining together six different zero-day vulnerabilities, these actors were able to fully compromise devices running iOS 18.4 through 18.7.”

Wielding the DarkSword

Comprising six zero-day vulnerabilities, the exploit chain was traced back to late 2025, when the threat cluster named UNC6748 deployed it to target Saudi Arabian users.

Malicious JavaScript code lay awaiting users on the landing page of a Snapchat-themed website called snapshare.chat, wherein a frame.html resource was pulled in.

With just one simple html file, hackers are able to completely takeover a person's phone.

The loader performs initialisation required for further stages and fetches the remote code execution (RCE) exploit. An XMLHttpRequest is used for this. 

Various memory corruption vulnerabilities in the JavaScript engine used in WebKit and Apple Safari, as well as a pointer authentication code (PAC) bypass were leveraged by threat actors. 

GHOSTKNIFE – The payload 

This payload, tracked by GTIC as GHOSTKNIFE is written in JavaScript and has several modules for exfiltrating different types of data. 

This includes signed-in accounts, messages, browser data, location history and recordings.

GHOSTKNIFE can also take screenshots and record audio from the microphone of the infected device. 

GHOSTSABER – Turkey and Malaysia campaigns

GTIG, in November 2025, tracked the Turkish commercial surveillance vendor PARS Defense in activity linked to DarkSword in Turkey.

The activity reveals more attention to operational security in the Turkey activity compared to UNC6748. Obfuscation was applied to loader and exploit stages, while also encrypting exploits between server and the victim. 

This malware is more advanced as it has the capability to fetch the correct RCE depending on the version of the iOS the victim used. 

In January 2026, DarkSword activity was observed in Malaysia, this time linked to a “different PARS Defense customer”. 

A distinct Javascript payload tracked by GTIG as GHOSTSABER was identified in these attacks. “Its capabilities include device and account enumeration, file listing, data exfiltration and the execution of arbitrary JavaScript code,” GTIG notes. 

Russian watering hole activity targets Ukraine 

Tracked by GTIC in the summer of 2025, UNC6353, “the suspected Russian espionage actor” was found to deploy DarkSword in a watering hole campaign against Ukrainians. 

Watering hole attack is when a website visited by a specific group is compromised by attackers. This means cybercriminals don't have to actively target victims, instead, they hack and wait, as the visitors to the site get quietly infected by malware. 

Ukrainian websites compromised by UNC6353 carry a malicious script, which fetches the first stage of delivery from the server of the bad actor. 

A malware family called GHOSTBLADE is delivered to unsuspecting iOS users this time.

This malware is a dataminer written in JavaScript with the capability to collect and exfiltrate a wide variety of data from a compromised device.

UNC6353 previously also deployed the Coruna exploit chain that targets iOS devices in Ukrainian websites. 

Austin summarises these activities as follows: “GTIG first observed UNC6748 using DarkSword via a Snapchat-themed decoy site targeting users in Saudi Arabia in November 2025, followed closely by PARS Defense in Turkey. Between December 2025 and March 2026, UNC6353 utilised it in a new watering hole campaign targeting Ukrainian users.

“Depending on the threat actor, a successful compromise deployed distinct malware families we track as GHOSTBLADE, GHOSTKNIFE or GHOSTSABER. The proliferation of this single exploit chain across disparate threat actors closely mirrors the previously discovered Coruna iOS exploit kit.

“We reported these vulnerabilities to Apple late last year and all were successfully patched with the release of iOS 26.3.

“We strongly urge all users to update to the latest iOS version or enable Lockdown Mode for enhanced security.”