DARKSWORD is an iPhone exploit chain that uses multiple zero-day vulnerabilities to fully compromise devices, according to Google's Threat Intelligence Group (GTIG). It targets iPhones running iOS versions 18.4 through 18.7 and has been used by commercial surveillance vendors and suspected state-sponsored threat actors to target users in Saudi Arabia, Turkey, Malaysia, and Ukraine since at least November 2025.
The attack chain leverages several flaws, including CVE-2025-31277, CVE-2025-43529, CVE-2026-20700, CVE-2025-14174, CVE-2025-43510, and CVE-2025-43520, enabling remote code execution, sandbox escape, and privilege escalation to deliver payloads. In a typical operation, a vulnerable user visits a malicious site and, with a single click, the complete chain is executed to gain kernel privileges and exfiltrate data; the malware can collect data within seconds to minutes before removing itself.
Lookout highlights that DarkSword also targets cryptocurrency wallets, indicating a dual-use motive that could support monetary gain. One notable actor associated with DarkSword is UNC6353, a suspected Russian espionage group, which reportedly conducted watering hole attacks against Ukrainian users.