Full Report
Darksword is the second iOS exploit chain in a month A new exploit kit targeting iPhone users and stealing their sensitive data is being abused by "multiple" spyware vendors and suspected nation-state goons, security researchers said on Wednesday.…
Analysis Summary
# Threat Actor: Multiple Entities (UNC6353, UNC6748, PARS Defense)
## Attribution & Identity
The exploit kit **DarkSword** is utilized by a diverse set of actors, suggesting it is a commercially available or shared exploit framework:
* **UNC6353:** A suspected Russian espionage crew with links to Russian intelligence requirements.
* **UNC6748:** A threat cluster identified by Google tracking specific Snapchat-themed operations.
* **PARS Defense:** A Turkish commercial surveillance vendor (CSV).
* **Other Potential Actors:** Researchers believe other commercial surveillance vendors and nation-state "goons" are likely abusing the kit.
## Activity Summary
DarkSword has been active since at least **November 2025**. It represents a sophisticated "exploit kit as a service" model where multiple disparate groups use the same technical chain to deploy different backdoors. Recent campaigns include:
* **November 2025:** UNC6748 targeted Saudi Arabian users via social media themes.
* **Late 2025 - January 2026:** PARS Defense targeted users in Turkey and Malaysia.
* **Early 2026:** UNC6353 conducted watering hole attacks against Ukrainian targets.
## Tactics, Techniques & Procedures
The actor(s) utilize a complex 6-vulnerability exploit chain to compromise iOS devices (18.4 through 18.7).
* **Initial Access:** Watering hole attacks and malicious websites (Social Engineering).
* **Execution & Escapes:**
* **RCE:** Exploiting CVE-2025-31277 or CVE-2025-43529 for arbitrary memory read/write.
* **Mitigation Bypass:** CVE-2026-20700 used to sidestep TPRO, PAC, SPRR, and JIT Cage.
* **Sandbox Escape:** CVE-2025-14174 (Angle OOB write) to escape WebContent via the GPU process.
* **Privilege Escalation:** CVE-2025-43510 (XNU Kernel Copy-On-Write) and CVE-2025-43520 to gain kernel privileges.
* **Post-Exploitation:** Injection of in-memory JavaScript implants into system processes for data extraction.
**MITRE ATT&CK IDs (Associated):**
* **T1204.001:** User Execution: Malicious Link
* **T1068:** Exploitation for Privilege Escalation
* **T1055:** Process Injection
* **T1512:** External Monitoring (Audio/Location)
* **T1647:** Software Discovery (iOS version-specific exploits)
## Targeting
* **Sectors:** Government, Civil Society (implied by espionage), and Cryptocurrency holders.
* **Geography:** Ukraine, Saudi Arabia, Turkey, and Malaysia.
* **Victims:** iPhone users (iOS 18.4 - 18.7); Ukrainian citizens; Saudi Arabian social media users.
## Tools & Infrastructure
### Malware Families
* **GhostKnife:** JavaScript-based backdoor; captures audio, screenshots, location, and messages. Used by UNC6748.
* **GhostSaber:** Used by PARS Defense; features device/account enumeration and remote JS execution.
* **GhostBlade:** Used by UNC6353; focused on "data mining" (chats, crypto wallets, photos, metadata).
### Infrastructure
* **snapshare[.]chat:** Malicious Snapchat-themed domain used by UNC6748.
* **C2 Communication:** HTTPS used for exfiltration of collected data to attacker-controlled servers.
## Implications
The discovery of DarkSword highlights a recurring trend where a single high-end exploit chain is fragmented and sold to multiple global actors (both state-sponsored and commercial). The kit's ability to facilitate both high-level political espionage and financial theft (cryptocurrency) suggests that the boundary between "state intelligence" and "criminal profit" is increasingly blurred for actors like UNC6353.
## Mitigations
* **Update OS:** Immediately update iPhones to the latest iOS version to patch the six exploited CVEs.
* **Browser Safety:** Exercise caution when clicking links from unsolicited messages or social media platforms.
* **Enable Lockdown Mode:** For high-risk individuals, Apple’s "Lockdown Mode" can provide significant protection against complex web-based exploit chains.
* **Device Auditing:** Use mobile security tools (like iVerify or Lookout) to scan for known indicators of compromise (IoCs) associated with the Ghost family of implants.