Researchers disclosed DarkSword, a sophisticated JavaScript-based iOS exploit kit that enables full device compromise with minimal user interaction and has been used by the Russian state-sponsored group UNC6353 in attacks against Ukraine and later by commercial surveillance vendors. The exploit chain leverages multiple iOS flaws to deploy information-stealers like GhostBlade, GhostKnife, and GhostSaber that exfiltrate messages, credentials, and cryptocurrency wallets, and while Apple has released patches many iPhones remain at risk; users should update to iOS 26.3.1 or 18.7.6. #DarkSword #UNC6353
Keypoints
- DarkSword is a JavaScript exploit kit used by UNC6353 to achieve Safari RCE, sandbox escape, and kernel compromise on iOS.
- The chain targets six vulnerabilities (including CVE-2026-20700, CVE-2025-43529, and CVE-2025-14174) to escalate privileges and execute final payloads.
- DarkSword shares infrastructure with the Coruna kit and has been repurposed by commercial actors (UNC6748, PARS Defense) in attacks on Saudi Arabia, Turkey, and Malaysia.
- Observed payloads GhostBlade, GhostKnife, and GhostSaber steal passwords, messages, photos, browser data, account info, and cryptocurrency wallet data.
- Apple has patched the flaws, but researchers warn hundreds of millions of devices may still be vulnerable and advise updating to iOS 26.3.1 or 18.7.6.