In March 2026, researchers at iVerify — Matthias Frielingsdorf and Mateusz Krzywicki — published their analysis of a full-chain iOS exploit kit they named DarkSword. Within days, Google’s Threat Intelligence Group and Lookout confirmed the kit had already been deployed in targeted campaigns by at least two threat actors: a commercial surveillance vendor and a state-sponsored threat actor targeting specific users.
The timing matters. DarkSword had been circulating in the wild since at least November 2025 — four months before researchers published their findings. During that window, an estimated 221 million devices running iOS 18.4 through 18.6.2 were exposed to a zero-click-capable attack chain that required nothing more than a Safari page load to compromise a device from browser to kernel.
This article breaks down the DarkSword chain, the campaigns that deployed it, and what mobile security practitioners need to know.
What Is DarkSword?
DarkSword is a browser-delivered, full-chain iOS exploit kit that strings together six vulnerabilities to achieve complete device compromise. Unlike techniques that require the target to install an app or approve a permissions dialog, DarkSword activates the moment a vulnerable device loads a malicious web page — including a page delivered through a compromised legitimate site or a malicious advertisement inside Safari.
The chain was delivered via watering hole attacks: compromised Ukrainian government and news sites (novosti[.]dn[.]ua and 7aac[.]gov[.]ua) hosted malicious iframes loading attacker-controlled JavaScript from static[.]cdncounter[.]net, infrastructure hosted in Estonia.
Kit name: DarkSword
Discovered by: Matthias Frielingsdorf & Mateusz Krzywicki (iVerify), March 2026
Collaborated on analysis: Lookout, Google Threat Intelligence Group (GTIG)
CVEs: 6 total — 3 exploited as zero-days
Affected versions: iOS 18.4 – 18.6.2
Estimated exposure: ~221 million devices (14.2% of iOS users)
Delivery: Watering hole via compromised legitimate websites
Known deployers: A commercial surveillance vendor; a state-sponsored threat actor
Patch: iOS 18.7.6 / iOS 26.3.1
The Six Vulnerabilities: A Three-Stage Chain
DarkSword’s power comes from its architecture: three discrete stages, each exploiting a separate component, each leaving the previous stage’s sandbox behind. Here is the full CVE inventory:
| CVE | Component | Vulnerability | Zero-Day? | Patched In |
|---|---|---|---|---|
CVE-2025-31277 |
Safari WebContent JIT | RegExp match — arbitrary memory r/w | No | iOS 18.6 |
CVE-2025-43529 |
Safari WebContent JIT | Use-after-free — arbitrary memory r/w | Yes | iOS 26.2 |
CVE-2026-20700 |
dyld (dynamic linker) | TPRO + PAC bypass — arbitrary code exec | Yes | iOS 26.3 |
CVE-2025-14174 |
ANGLE (GPU process) | OOB write — sandbox escape via GPU | Yes | iOS 26.2 |
CVE-2025-43510 |
AppleM2ScalerCSCDriver | Copy-on-write via selector 1 — mediaplaybackd escape | No | iOS 26.1 |
CVE-2025-43520 |
XNU Kernel | Kernel privilege escalation — arbitrary r/w | No | iOS 26.1 |
Stage 1 — WebKit RCE and PAC Bypass
The chain begins in Safari’s WebContent process. Depending on the target iOS version, the kit selects either CVE-2025-31277 (a RegExp JIT flaw, patched in iOS 18.6) or CVE-2025-43529 (a use-after-free in the JavaScriptCore JIT, exploited as a zero-day). Both achieve the same goal: arbitrary memory read/write within the WebContent sandbox.
With memory primitives established, the kit then exploits CVE-2026-20700 in dyld — Apple’s dynamic linker — to bypass Pointer Authentication Codes (PAC) and Thread Protection (TPRO), turning the memory r/w primitive into arbitrary code execution in the WebContent process. PAC was introduced specifically to make exploitation of memory corruption bugs much harder; CVE-2026-20700 nullified that protection for this chain.
Stage 2 — Sandbox Escape Through the GPU
A compromised WebContent process is still sandboxed. The kit’s pivot to freedom goes through an unexpected path: the GPU. CVE-2025-14174, an out-of-bounds write in ANGLE (the GPU abstraction layer), allows the exploit to escape the WebContent sandbox and gain execution in the GPU process. From the GPU process, CVE-2025-43510 — a copy-on-write issue in AppleM2ScalerCSCDriver — provides a route into mediaplaybackd, a daemon with significantly broader system privileges.
Stage 3 — Kernel Takeover
From mediaplaybackd, the chain’s final bug — CVE-2025-43520, a kernel privilege escalation in XNU — establishes arbitrary kernel-level read/write primitives. At this point, the device is fully compromised. A JavaScript-based implant is injected into system processes, enabling comprehensive data exfiltration.
DarkSword four-stage exploit chain: Browser RCE → GPU Sandbox Escape → Code Injection → Privilege Escalation
Who Used DarkSword and What Did They Steal?
Commercial Surveillance Vendor — JavaScript Backdoor
A commercial surveillance company deployed DarkSword in November 2025 and again in January 2026. Their payload was a JavaScript backdoor that performed device enumeration, installed app listing, file system browsing, data exfiltration, and arbitrary JavaScript code execution on the compromised device.
State-Sponsored Threat Actor — Advanced Implant and Ukrainian Targeting
A state-sponsored threat actor deployed DarkSword against Ukrainian users via the compromised government and news websites mentioned above. Their implant had a much broader collection mandate. From a compromised device, it harvested:
- Cryptocurrency wallet data from 50+ apps (Ledger, MetaMask, Phantom, Coinbase, Kraken)
- Communications: SMS, iMessage, call history, Telegram and WhatsApp data
- Credentials: WiFi passwords, iOS Keychain contents
- Location history, Safari browsing history, calendar, photos metadata, notes
- Device identifiers, SIM card information
Exfiltrated data was sent to sqwas[.]shapelie[.]com over ports 8881 and 8882.
Why 221 Million Devices? The Patch Lag Problem
According to iVerify, approximately 14.2% of active iOS devices — around 221 million — were running iOS 18.4 through 18.6.2 at the time of disclosure. This window existed because of a well-understood but persistent problem: users do not update immediately, and enterprises often enforce update delays for compatibility testing.
Three of DarkSword’s six CVEs were exploited as zero-days — meaning attackers had working exploits before Apple had patches available. For CVE-2026-20700 (the dyld PAC bypass), a patch did not land until iOS 26.3. This means any device that had not upgraded to the iOS 26 family was exposed to an unpatched kernel-level RCE chain during the entire campaign window.
Detection: Forensic Indicators from iVerify
The iVerify research team published several high-confidence detection signals that can be used for incident response or device triage. Mobile security practitioners doing forensic work on potentially compromised iOS devices should look for:
$ log show –predicate ‘process == “mediaplaybackd”‘ –last 7d | grep -E “DarkSword|WIFI-DUMP|\[MAIN\]”
[+] Match: com.apple.mediaplaybackd [DarkSword-WIFI-DUMP] scanning keychain
# Check for rapid successive WebKit process crashes
$ log show –predicate ‘process == “ReportCrash”‘ –last 7d | grep -E “WebKit.GPU|WebKit.WebContent” | head -20
# Check for implant files in /private/var/tmp/
$ find /private/var/tmp/ -name “keychain-2.db” -o -name “persona.kb” -o -name “wifi_passwords.txt” -o -name “usersession.kb” 2>/dev/null
[+] /private/var/tmp/keychain-2.db — INDICATOR OF COMPROMISE
# Look for iCloud dump directory
$ ls /private/var/tmp/icloud_dump/ 2>/dev/null && echo “IOC: iCloud exfil staging dir found”
# Crash signature: EXC_ARM_DA_ALIGN at 0x0000000000000201 in mediaplaybackd
These commands assume access to the device file system (jailbroken device or via a forensic acquisition). For enterprise triage without jailbreaking, iVerify’s mobile threat detection product and Lookout’s Security Cloud both detect DarkSword indicators passively.
For practitioners wanting to get hands-on with iOS runtime analysis and hooking techniques that are directly applicable to investigating malicious iOS implants of this kind, the Frida Advanced Techniques guide on this site covers runtime hooking primitives that translate directly to iOS work. For a broader picture of iOS app attack surface, our Flutter App Penetration Testing walkthrough demonstrates cross-platform interception techniques relevant to any iOS testing workflow.
What Should You Do?
For iOS Users
- Update immediately — iOS 18.7.6 or iOS 26.3.1 patches all six DarkSword CVEs. If you are on an older iPhone (XS/XR, 7th-gen iPad) that received iOS 18.7.7, that update also closes the DarkSword chain for those devices.
- Enable Lockdown Mode if you are a high-risk individual (journalist, activist, government official, executive). Lockdown Mode significantly reduces the browser attack surface that DarkSword exploits.
- Consider iPhone 17 hardware for maximum protection — Memory Integrity Enforcement (MIE) on the A19 chip provides hardware-backed mitigation against the kernel exploitation stage (CVE-2025-43520).
For Security Practitioners
- Add DarkSword IoCs to your mobile threat hunting rules. The file-system artifacts (
keychain-2.db,usersession.kb,wifi_passwords.txtin/private/var/tmp/) and the process crash signatures are high-confidence signals. - Review your organization’s iOS update policy. The 221-million-device exposure window happened because of patch lag. If your MDM enforces a delay before allowing OS updates, audit whether that delay is still necessary — the DarkSword window shows how costly even a few weeks can be.
- Monitor for watering hole campaigns. DarkSword was not delivered via phishing links — it came through legitimate-looking compromised websites. Conventional “don’t click unknown links” advice provides zero protection here. Network-layer monitoring for anomalous JavaScript loads from otherwise-trusted domains is the right defensive layer.
- Treat zero-day PAC bypass CVEs as systemic risks. CVE-2026-20700 (the dyld PAC bypass) neutralized one of Apple’s flagship memory safety mitigations. When a mitigation that wide is bypassed, it typically indicates a research community has been studying the implementation for weaknesses — future variants should be expected.
The Bigger Picture: iOS Exploit Kit Proliferation
DarkSword is not an isolated incident. In the same week that Apple expanded DarkSword patches to iOS 18.7.7, Security Affairs reported a second exploit kit — Coruna — was also being patched simultaneously. The iVerify team noted that DarkSword’s discovery came approximately two weeks after their Coruna investigation concluded, suggesting the same research pipeline is uncovering a wave of previously undetected iOS exploit kits that have been circulating among commercial spyware vendors and state-sponsored actors.
The lesson for the mobile security community: the assumption that zero-click iOS exploitation requires nation-state resources and significant investment is increasingly outdated. Commercial surveillance vendors are productizing full-chain iOS exploit kits and deploying them in campaigns that span multiple threat actors. The barrier to entry for this class of attack is falling.
Staying ahead of this curve means understanding how these chains are built at a technical level — not just updating when patches land, but understanding what was patched and why. For hands-on practice with iOS security research techniques, we recommend Mobile Hacking Lab — a platform that provides real-device iOS and Android environments for security research and penetration testing. For teams looking to automate mobile security testing and threat analysis workflows, Djini.ai provides AI-powered mobile security automation.
References
- iVerify — Inside DarkSword: A New iOS Exploit Kit Delivered Via Compromised Legitimate Websites — iverify.io
- Matthias Frielingsdorf & Mateusz Krzywicki (iVerify) — original DarkSword discovery
- Google Cloud Blog — The Proliferation of DarkSword: iOS Exploit Chain Adopted by Multiple Threat Actors
- Lookout — Attackers Wielding DarkSword Threaten iOS Users
- Malwarebytes — Apple expands “DarkSword” patches to iOS 18.7.7 — malwarebytes.com
- SecurityWeek — DarkSword iOS Exploit Kit Used by State-Sponsored Hackers, Spyware Vendors
- Help Net Security — DarkSword: Researchers uncover another iOS exploit kit
- The Hacker News — DarkSword iOS Exploit Kit Uses 6 Flaws, 3 Zero-Days for Full Device Takeover
- Apple Security Updates — iOS 18.7.7 / iOS 26.3.1 — support.apple.com
