DarkSword iOS Exploit Chain

By
Editor Dataproof
-
0
7

What is the Attack?

Researchers from Google Threat Intelligence Group identified DarkSword, a sophisticated full-chain iOS exploit framework actively used by multiple surveillance vendors and suspected state-sponsored actors. Observed since at least November 2025, the exploit has been deployed in targeted campaigns across Saudi Arabia, Turkey, Malaysia, and Ukraine, enabling silent compromise of iOS devices and delivery of post-exploitation malware.

DarkSword targets iOS 18.4–18.7, leveraging six vulnerabilities to achieve:
Remote Code Execution (RCE)
Sandbox Escape
Kernel-Level Privilege Escalation

Campaign-Specific Tradecraft:
Saudi Arabia: Fake Snapchat lookalike used as a social engineering lure
Ukraine: Compromise of at least two local websites, including a government site (watering hole attack)

Post-Exploitation Malware Families:
GHOSTBLADE: Initial-stage implant for device profiling and access validation
GHOSTKNIFE: Intermediate payload enabling data collection and command execution
GHOSTSABER: Advanced implant supporting persistent surveillance and data exfiltration

What is the recommended Mitigation?

  • Immediate Patching:
    Upgrade iOS devices beyond affected versions as security updates become available

  • Web Filtering & DNS Security:
    Block access to suspicious or newly registered domains used in exploit delivery

  • High-Risk User Protection:
    Enforce stricter controls (device hardening, limited browsing exposure) for sensitive roles

  • Threat Intelligence Integration:
    Continuously ingest indicators related to DarkSword infrastructure and malware families

What FortiGuard Coverage is available?

• FortiGuard Incident Response: Organizations that suspect compromise of iOS devices via the DarkSword exploit chain should engage FortiGuard Incident Response for rapid investigation, containment, forensic analysis, and recovery support. Focus areas include identification of exploit-triggering web activity, analysis of post-exploitation malware (GHOSTBLADE, GHOSTKNIFE, GHOSTSABER), validation of device compromise scope, and detection of potential data exfiltration or persistent surveillance mechanisms.

• FortiGuard Labs Threat Intelligence: FortiGuard Labs is actively monitoring threat activity associated with DarkSword and related mobile exploitation frameworks identified by Google Threat Intelligence Group.

• FortiGuard Antivirus & Behavior Detection: Protects against post-exploitation malware families associated with DarkSword, including GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER. Virus | FortiGuard Labs

• FortiGuard Indicators of Compromise (IOCs) Service: FortiGuard Labs has blocked all known DarkSword-associated indicators, including malicious domains used for exploit delivery, watering hole infrastructure, and command-and-control endpoints

– Read more

RELATED ARTICLESMORE FROM AUTHOR