The Proliferation of DarkSword: iOS Exploit Chain Adopted by Multiple Threat Actors
March 18, 2026, 4:51 p.m.
Description
Google Threat Intelligence Group has identified a new iOS full-chain exploit called DarkSword, which leverages multiple zero-day vulnerabilities to compromise devices running iOS 18.4 through 18.7. Since November 2025, multiple commercial surveillance vendors and suspected state-sponsored actors have been observed using DarkSword in campaigns targeting users in Saudi Arabia, Turkey, Malaysia, and Ukraine. The exploit chain utilizes six different vulnerabilities to deploy final-stage payloads, including three distinct malware families: GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER. The proliferation of DarkSword across various threat actors mirrors the previously discovered Coruna iOS exploit kit. Notable users include UNC6353, a suspected Russian espionage group, which has incorporated DarkSword into their watering hole campaigns targeting Ukrainian websites.
Tags
Date
- Created: March 18, 2026, 3:44 p.m.
- Published: March 18, 2026, 3:44 p.m.
- Modified: March 18, 2026, 4:51 p.m.
Indicators
- 2e5a56beb63f21d9347310412ae6efb29fd3db2d3a3fc0798865a29a3c578d35
- https://static.cdncounter.net/assets/index.html
- https://static.cdncounter.net/widgets.js?uhfiu27fajf2948fjfefaa42
- https://snapshare.chat/
Additional Informations
- Government
- 0x436cc4.open
- sqwas.shapelie.com
- snapshare.chat
- sahibndn.io
- static.cdncounter.net
- e5.malaymoil.com
- 0x1fedd2.open
- Saudi Arabia
- Malaysia
- Ukraine