DarkSword is a sophisticated, multi-stage iOS exploit framework using six vulnerabilities to achieve remote code execution, sandbox escape, and kernel privilege escalation, primarily delivered via social engineering lures or watering hole attacks targeting iOS versions 18.4 through 18.7. The recommended mitigation is to immediately patch iOS devices to versions beyond the affected range as updates become available. Additional defensive measures include implementing web filtering to block malicious domains and applying stricter device controls for high-risk users.
What is the Attack? Researchers from Google Threat Intelligence Group identified DarkSword, a sophisticated full-chain iOS exploit framework actively used by multiple surveillance vendors and suspected state-sponsored actors. Observed since at least November 2025, the exploit has been deployed in targeted campaigns across Saudi Arabia, Turkey, Malaysia, and Ukraine, enabling silent compromise of iOS devices and delivery of post-exploitation malware. DarkSword targets iOS 18.4–18.7, leveraging six vulnerabilities to achieve: Remote Code Execution (RCE) Sandbox Escape Kernel-Level Privilege Escalation Campaign-Specific Tradecraft: Saudi Arabia: Fake Snapchat lookalike used as a social engineering lure Ukraine: Compromise of at least two local websites, including a government site (watering hole attack) Post-Exploitation Malware Families: GHOSTBLADE: Initial-stage implant for device profiling and access validation GHOSTKNIFE: Intermediate payload enabling data collection and command execution GHOSTSABER: Advanced implant supporting persistent surveillance and data exfiltration What is the recommended Mitigation? Immediate Patching: Upgrade iOS devices beyond affected versions as security updates become available Web Filtering & DNS Security: Block access to suspicious or newly registered domains used in exploit delivery High-Risk User Protection: Enforce stricter controls (device hardening, limited browsing exposure) for sensitive roles Threat Intelligence Integration: Continuously ingest indicators related to DarkSword infrastructure and malware families What FortiGuard Coverage is available? • FortiGuard Incident Response: Organizations that suspect compromise of iOS devices via the DarkSword exploit chain should engage FortiGuard Incident Response for rapid investigation, containment, forensic analysis, and recovery support. Focus areas include identification of exploit-triggering web activity, analysis of post-exploitation malware (GHOSTBLADE, GHOSTKNIFE, GHOSTSABER), validation of device compromise scope, and detection of potential data exfiltration or persistent surveillance mechanisms. • FortiGuard Labs Threat Intelligence: FortiGuard Labs is actively monitoring threat activity associated with DarkSword and related mobile exploitation frameworks identified by Google Threat Intelligence Group. • FortiGuard Antivirus & Behavior Detection: Protects against post-exploitation malware families associated with DarkSword, including GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER. Virus | FortiGuard Labs • FortiGuard Indicators of Compromise (IOCs) Service: FortiGuard Labs has blocked all known DarkSword-associated indicators, including malicious domains used for exploit delivery, watering hole infrastructure, and command-and-control endpoints