Google Threat Intelligence has identified DarkSword, a complete iOS exploit chain that deploys six zero-day vulnerabilities to seize full device control on iPhones running iOS 18.4 through 18.7. Users face compromise without installing any app or clicking links beyond simply visiting a compromised website, enabling attackers to extract private keys and credentials from major crypto platforms before self-erasing traces. The campaign, active since November 2025, ties to espionage and surveillance entities and has prompted Apple patches in the latest builds. Security firms urge immediate updates amid confirmed large-scale deployment.
DarkSword Chain Revealed
Google Threat Intelligence Group, working alongside iVerify and Lookout, detailed how the JavaScript-based kit fingerprints devices via malicious iframes on watering-hole sites before chaining exploits that escape the Safari sandbox, achieve kernel privileges, and load payloads into system processes like configd and Springboard. The chain specifically enumerates and harvests data from Coinbase, Binance, Kraken, KuCoin, OKX, MEXC, Ledger, Trezor, MetaMask, Exodus, Uniswap, Phantom, and Gnosis Safe, along with passwords and account details, all within minutes in a hit-and-run operation. iVerify analysis estimates 14.2 percent of iOS users, roughly 221 million devices, on vulnerable builds remain exposed pending updates, with the kit last modified in December 2025 and sharing infrastructure patterns with prior kits like Coruna.
Crypto Theft Alarms
The operation blends espionage with clear financial motives, as payloads rapidly stage and exfiltrate wallet contents before cleanup, leaving victims unaware until funds vanish. Ledger CTO Charles Guillemet explicitly warned the exploit “is already deployed at scale,” highlighting risks for hardware and software wallet holders alike. Lookout researchers noted the stealth surpasses typical malware by injecting directly into privileged services and leveraging potential AI-assisted code, while Google added delivery domains to Safe Browsing lists. This follows broader security efforts by Google, including recent fixes to critical browser vulnerabilities. Unpatched users in targeted regions face immediate credential and asset loss, reinforcing calls for Lockdown Mode activation where full updates prove impossible and underscoring the shift toward mass exploitation of mobile crypto holdings.
Critical Incident Facts
- iVerify projects up to 270 million broader iOS 18 devices potentially susceptible before accounting for partial fixes in 18.7.x branches.
- Key zero-day CVE-2026-20700 (dyld PAC bypass) and companion flaws like CVE-2025-14174 were reported to Apple in late 2025 and fully closed in iOS 26.3.1 alongside 18.7.6.
- Threat clusters include UNC6353 deploying GHOSTBLADE against Ukrainian targets and PARS Defense customers using GHOSTSABER variants regionally.
- Recommendation remains updating to the newest iOS builds or enabling Lockdown Mode, as Google has integrated protections and collaborated on IOC sharing.
