DarkSword iOS Exploit: 220+ Million iPhones at Risk - What Houston Area Businesses Need to Know

DarkSword is a complete exploit framework written entirely in JavaScript. It chains together six separate vulnerabilities to take an iPhone from "browsing a website" to "fully compromised" in a matter of seconds. The name comes from an internal label found in the exploit code itself.

The attack works through what security researchers call a "watering hole" technique. Attackers don't need to send you a phishing email or trick you into downloading anything. They compromise a legitimate website - a news outlet, a government portal, a business site - and inject a hidden iframe containing malicious JavaScript. When an iPhone with a vulnerable iOS version loads that page in Safari, DarkSword fires automatically.

Google's Threat Intelligence Group first observed DarkSword activity in November 2025. By December, multiple distinct threat actors were using it in campaigns across Saudi Arabia, Turkey, Malaysia, and Ukraine. GTIG reported all vulnerabilities to Apple in late 2025, and the last patch landed with iOS 26.3 in February 2026.

Here's the part that should concern every business owner: DarkSword was found being sold on a secondary market. This isn't a one-off tool built by a single intelligence agency. It's a commercial product being distributed to anyone willing to pay. Lookout researchers noted that both DarkSword and its predecessor Coruna show signs of AI-assisted code development, with LLM-generated comments explaining functionality throughout the codebase.

DarkSword doesn't rely on a single bug. It chains six vulnerabilities together, moving through distinct stages - remote code execution, sandbox escape, privilege escalation, and payload deployment. Three of these were exploited as zero-days before Apple had patches available.

The vulnerabilities in the chain:

• CVE-2025-31277: A memory corruption flaw in JavaScriptCore (Safari's JavaScript engine) that gives the attacker initial code execution. Used against devices running iOS versions before 18.6.
• CVE-2025-43529 (zero-day): A separate JavaScriptCore garbage collection bug used for code execution on iOS 18.6 and 18.7 devices. Patched in iOS 18.7.3 and 26.2.
• CVE-2026-20700 (zero-day): A flaw in dyld, Apple's dynamic link editor, used to bypass Pointer Authentication Codes (PAC) - a hardware-level security feature. This was the first actively exploited Apple zero-day of 2026. Added to CISA's Known Exploited Vulnerabilities catalog. Patched in iOS 26.3.
• CVE-2025-14174 (zero-day): A memory corruption vulnerability in ANGLE (the graphics abstraction layer) used for sandbox escape through the GPU process. Patched in iOS 18.7.3 and 26.2.
• CVE-2025-43510: A memory management vulnerability in the iOS kernel that allows the attacker to move from the GPU process to kernel-level access. Patched in iOS 18.7.2 and 26.1.
• CVE-2025-43520: A kernel memory corruption flaw used for final privilege escalation, giving the attacker arbitrary read/write access and the ability to execute injected JavaScript with full device privileges.

The attack flow is methodical. DarkSword first exploits a Safari bug for code execution, then escapes the WebContent sandbox by pivoting into the GPU process, then moves from the GPU process into mediaplaybackd (a system daemon handling media playback), then compromises the XNU kernel for full device control. All of this happens while the user sees nothing unusual on their screen.

What sets DarkSword apart from typical exploit disclosures is the breadth of actors using it. Google identified at least three distinct groups, each with different targets and objectives.

• UNC6748: Targeted Saudi Arabian users in November 2025 using a fake Snapchat website (snapshare[.]chat). Deployed GHOSTKNIFE, a JavaScript backdoor capable of stealing account data, messages, browser history, location, and recordings.
• PARS Defense (Turkish surveillance vendor): Used DarkSword in Turkey in November 2025 and in Malaysia through a different customer in January 2026. Deployed GHOSTSABER, a backdoor with device enumeration, file listing, data exfiltration, and arbitrary JavaScript execution capabilities. This group applied more sophisticated OPSEC, encrypting exploit payloads between server and victim.
• UNC6353 (suspected Russian espionage): Launched watering hole attacks against Ukrainian users from December 2025 through March 2026. Deployed GHOSTBLADE, an information stealer targeting credentials, crypto wallets, photos, messages, and location data. This same group previously used the Coruna exploit kit.

The UNC6353 campaign is particularly notable because the attackers compromised legitimate Ukrainian websites - including a news agency and a government court portal - to deliver DarkSword. Anyone visiting those sites on a vulnerable iPhone got hit.

Google's assessment is blunt: there are likely additional threat actors using DarkSword that haven't been identified yet.

iVerify estimates that 14.2% of all iOS users - approximately 221.5 million devices running iOS 18.4 through 18.6.2 - are directly vulnerable to the DarkSword exploit chain. If the underlying vulnerabilities can be exploited against iOS versions below 18.4 and above 26.x (which hasn't been ruled out), the number jumps to roughly 296 million devices, or about 19% of all iPhones worldwide.

For Katy and Houston-area businesses, think about how many iPhones are in your organization right now. Every employee who hasn't updated their phone is carrying a potentially compromised device into your office, connecting to your Wi-Fi, accessing your email, your cloud apps, your client data.

The targets so far have been geographically concentrated - Saudi Arabia, Turkey, Malaysia, Ukraine - but the exploit kit itself isn't region-locked. Any iPhone running a vulnerable iOS version is fair game. And with DarkSword available on a secondary market, it's only a matter of time before it shows up in campaigns targeting U.S. businesses.

Industries handling sensitive financial data, client records, or intellectual property should consider themselves high-priority targets. That includes law firms, wealth management firms, CPA practices, and oil and gas companies - all of which are well-represented across the Houston metro area.

Lookout described DarkSword's approach as a "hit-and-run" - the malware collects and exfiltrates targeted data within seconds to minutes, then cleans up after itself. That short operational window makes detection extremely difficult.

The GHOSTBLADE malware family (deployed by UNC6353) collects:

• Credentials: Usernames, passwords, and encryption keys stored on the device
• Cryptocurrency data: Wallet apps, exchange data, and private keys across multiple crypto platforms
• Communications: iMessage, Telegram, WhatsApp messages, email, SMS, and call history
• Personal data: Photos, contacts, calendar entries, notes, and location history
• Browser data: Safari history, cookies, and saved form data
• System information: Device details, installed apps, signed-in accounts, and connectivity information
• iCloud Drive files: Documents synced through Apple's cloud storage

GHOSTKNIFE and GHOSTSABER (used by UNC6748 and PARS Defense respectively) have similar capabilities, with GHOSTSABER adding backdoor functionality that allows attackers to execute arbitrary code remotely and potentially activate the device microphone.

For a business, a single compromised employee iPhone could expose client communications, financial records, authentication tokens for corporate systems, and strategic documents - all without anyone knowing it happened.

Apple has patched all six DarkSword vulnerabilities across multiple iOS releases. CISA added CVE-2026-20700 to its Known Exploited Vulnerabilities catalog, mandating federal agency remediation by March 5, 2026. Here's what you need to do:

• Update every iPhone to iOS 26.3.1 (preferred) or iOS 18.7.6. These are the latest releases containing patches for all six vulnerabilities. Do not wait for users to update on their own - enforce it through device management policies.
• Enable Lockdown Mode on high-risk devices. Apple's Lockdown Mode significantly reduces the attack surface by disabling certain features exploited by DarkSword, including JIT compilation in Safari. Executives, financial staff, and anyone handling sensitive data should enable it.
• Audit your device inventory. Know exactly which iOS versions are running across your organization. Any device on iOS 18.4 through 18.7 that hasn't been updated is a potential entry point.
• Implement mobile device management (MDM). MDM solutions let you enforce OS version requirements, block non-compliant devices from corporate resources, and push updates remotely. Without MDM, you're relying on every employee to update their phone voluntarily.
• Review browser history for compromise indicators. Because DarkSword doesn't clean up Safari's browser history or WebKit databases, forensic tools can identify visits to known malicious domains. iVerify has published indicators of compromise.
• Block known DarkSword domains. Google has added domains involved in DarkSword delivery to Safe Browsing. Ensure your network security infrastructure is configured to leverage these blocklists.

If you don't have a way to verify which iOS versions your employees are running, that's a gap that needs to be closed today - not next quarter.

CinchOps is a managed IT services provider based in Katy, Texas, serving small and mid-sized businesses across the Houston metro area. CinchOps specializes in cybersecurity, network security, managed IT support, VoIP, and SD-WAN for businesses with 10-200 employees.

Threats like DarkSword are exactly why mobile security can't be an afterthought. Here's how we help:

• Mobile Device Management (MDM) deployment and enforcement: We configure and manage MDM policies that require minimum OS versions, push updates automatically, and block non-compliant devices from accessing corporate email, apps, and networks.
• Patch management across all endpoints: iPhones, iPads, Windows machines, Macs - we track every device in your fleet and ensure critical security patches are applied within defined SLAs, not whenever someone gets around to it.
• Network-level threat blocking: We configure DNS filtering, web content filtering, and firewall rules that block known malicious domains - including those associated with DarkSword delivery infrastructure.
• Security awareness training: While DarkSword is a watering hole attack (not a phishing email), training your team to recognize when something doesn't look right and to report suspicious behavior is still a critical layer of defense.
• Incident response support: If you suspect a device has been compromised, we help investigate, contain the damage, and remediate - fast.
• Ongoing vulnerability monitoring: We track CISA KEV additions, vendor advisories, and threat intelligence feeds so you don't have to. When something like DarkSword drops, we're already working on your response plan.

In 30 years of managing IT - including time at Cisco and running networks for energy companies - the pattern I see most often is businesses that assume iPhones are inherently secure. They're not. They're targets, and DarkSword proves it. The businesses that stay protected are the ones that treat mobile devices with the same rigor they apply to their servers and workstations.