DarkSword is a JavaScript-only iOS full-chain exploit kit that can compromise an iPhone via a single page load on compromised Ukrainian websites, break out of the WebKit sandbox, escalate to kernel read-write access, and exfiltrate messages, photos, passwords, Telegram history, iCloud files, and cryptocurrency keys before erasing traces within minutes. GTIG, Lookout, and iVerify tracked deployments across at least four countries and multiple operators — including commercial spyware vendors and the suspected UNC6353 — and Apple patched the chained vulnerabilities in iOS 26.3 / iOS 18.7.3. #DarkSword #UNC6353
Keypoints
- A single page load on compromised Ukrainian sites can trigger DarkSword and fully compromise an iPhone without user interaction.
- The exploit kit is entirely JavaScript-based and chains six vulnerabilities to escape WebKit, use WebGPU to inject into mediaplaybackd, and gain kernel read-write access.
- Post-exploitation payloads (GHOSTBLADE, GHOSTKNIFE, GHOSTSABER) harvest SMS/iMessage, call history, photos, passwords, Telegram/WhatsApp histories, iCloud files, and cryptocurrency wallet keys.
- Researchers observed deployments in Saudi Arabia, Turkey, Malaysia, and Ukraine by multiple actors, including suspected state-linked UNC6353 and commercial surveillance vendors.
- Apple rolled out fixes across iOS 26.1–26.3 with final remediation in iOS 18.7.3; Google added delivery domains to Safe Browsing and Lockdown Mode can reduce risk for unpatched devices.
Read More: https://thecyberexpress.com/ios-exploit-kit-dubbed-darksword/