Security researchers have confirmed that the sophisticated iOS exploit chain known as DarkSword is now accessible outside of its original threat actor groups.
Recently, security researcher @matteyeux successfully achieved kernel read/write access on an iPad mini 6th generation running iOS 18.6.2 using the in-the-wild DarkSword exploit.
This development demonstrates that the exploit kit is highly viable and poses an immediate risk to millions of unpatched Apple devices worldwide.
The Attack Methodology
DarkSword is a complete exploit kit and infostealer written in JavaScript. The kill chain typically begins when a user visits a compromised website containing a malicious iframe, which is a technique known as a watering hole attack.
Once the target device loads the malicious page, the exploit automatically breaks out of the Safari WebContent sandbox.
The attack bypasses Trusted Path Read-Only and Pointer Authentication Codes mitigations by abusing sensitive internal dyld structures located in writable stack memory.
Attackers then pivot through the GPU process by exploiting an out-of-bounds write vulnerability in the ANGLE graphics engine.
From the GPU process, the exploit targets the XNU kernel by triggering a Copy-On-Write vulnerability in the AppleM2ScalerCSCDriver driver.
This enables the attackers to establish arbitrary memory read/write primitives, allowing them to modify sandbox restrictions and access the restricted file systems.
Google Threat Intelligence Group initially observed DarkSword in active campaigns as early as November 2025.
The toolkit is primarily attributed to UNC6353, a suspected Russian espionage group that previously utilized the Coruna iOS exploit kit.
These attackers have actively deployed the exploit chain against targets located in Ukraine, Saudi Arabia, Turkey, and Malaysia.
Operating entirely in memory, DarkSword rapidly force-loads scripts to deploy final-stage payloads.
Researchers Matteyeux identified three distinct malware families deployed post-compromise: GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER.
These payloads actively exfiltrate highly sensitive data, including secure messages, saved credentials, and cryptocurrency wallet information.
The command and control infrastructure utilizes subdomains created on compromised legitimate websites, such as sqwas.shapelie[.]com.
The public validation of DarkSword by independent researchers significantly elevates the overall threat level.
System administrators and security teams must ensure all Apple devices are immediately updated to iOS 26.1 or later, as these versions contain patches for the underlying kernel vulnerabilities.
For high-risk individuals and enterprise targets, enabling Apple’s Lockdown Mode provides a critical additional layer of defense against complex web-based exploit chains.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
