THE Google Threat Intelligence Group (GTIG) reported on the DarkSword exploit chain being used by multiple threat actors to target iOS devices. Since November 2025, various surveillance vendors and state-sponsored entities, particularly in countries like Saudi Arabia, Turkey, Malaysia, and Ukraine, have deployed this exploit, which takes advantage of six zero-day vulnerabilities across iOS versions 18.4 to 18.7. The exploit chain supports three malware families: GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER.
GTIG encouraged users to update to the latest iOS version for protection, while previous iOS vulnerabilities were patched with iOS 26.3. Observations along the timeline revealed differing operational security measures and techniques among the threat actors, such as the use of different obfuscation methods in their exploit loaders. The report also includes details on exploit delivery mechanisms, remote code execution vulnerabilities, and sandbox escape exploits that form the DarkSword attack strategy. The research aims to assist in awareness and mitigation of the ongoing risks of exploit proliferation.