DARKSWORD is a full iOS exploit chain, reportedly used by multiple threat actors since at least November 2025, with six vulnerabilities employed to deliver three payloads, two of which were zero-days at the time. According to GTIG, three zero-days were exploited: CVE-2026-20700, CVE-2025-43529 and CVE-2025-14174, before Apple patched them, and the chain also lists CVE-2025-31277, CVE-2025-43510 and CVE-2025-43520 among the exploits involved.
Lookout and iVerify note the chain targets iPhones running iOS versions 18.4 to 18.7, and was deployed by UNC6353 in attacks against Ukrainian users, with other actors including UNC6748 and PARS Defense also linked to DarkSword campaigns.
The attack typically begins when a user visits a page via Safari that embeds a JavaScript-loaded iFrame, after which DarkSword can break out of the Safari renderer, leverage WebGPU, and enable a data-mining module called GHOSTBLADE to exfiltrate a wide range of data and then clean up. The researchers emphasise the exploit’s portability, its “hit-and-run” exfiltration approach, and the reality that a second-hand market exists for such iOS exploits.