DarkSword: iPhone Exploit Kit Serves Spies & Thieves Alike

Attackers all over the world are using a new iOS exploit chain that works for both spies and attackers who want to make money. This week, Google, iVerify, and Lookout all published research about "DarkSword," an exploit chain that affects iPhones running iOS versions 18.4 to 18.7. Google's Threat Intelligence Group (GTIG) called it a "full-chain exploit that leveraged multiple zero-day vulnerabilities to fully compromise devices" in a blog post.

Since at least November 2025, it has been used by several commercial surveillance companies and suspected state-sponsored threat actors to target people in Saudi Arabia, Turkey, Malaysia, and Ukraine. GTIG said that the exploit chain uses a number of weaknesses and three different types of malware that it calls Ghostblade, Ghostknife, and Ghostsaber, depending on the type of attack.

It comes two weeks after the news of a similar attack called "Coruna," in which a criminal group that was after money used tools made by a spyware company to target a lot of iOS devices at once.

Lookout's research showed that even though the company was spying, it didn't try to hide the exploit chain or implant code. It also said that "an analysis of patterns suggests that LLMs were used in the creation of at least some of the implant code."" Related: Hackers attack the cybersecurity company Outpost24 in seven stages of phishing.

This could mean that this actor isn't very smart, even though they probably have a lot of money. Lookout also said in its blog that "this code may have been added before the threat actor got the tools."" In fact, iVerify's blog post says that Coruna and DarkSword's tools were found because of big operational security (OPSEC) failures and carelessness when using iOS offensive tools.

"These recent events raise a few important questions: How big and well-equipped is the market for iOS devices that have zero-day and n-day exploits? How easy is it for people who want to make money to get these powerful tools? This is what iVerify's post said.

Rocky Cole, the co-founder and COO of iVerify, says that this level of OPSEC is "unprecedented in the 2020s." "Sometimes you see nation-states use bad OPSEC when they are using cheap tools because they don't want to burn the fancy, highly secretive [command and control]," he says. "And OPSEC makes things take longer."