A new exploit kit targeting iPhone users and stealing their sensitive data is being abused by "multiple" spyware vendors and suspected nation-state goons, security researchers said on Wednesday.

The exploit kit, called DarkSword, has been in use since at least November 2025. It supports iOS versions 18.4 through 18.7, and exploits six different vulnerabilities to deploy three different backdoors that steal a ton of personal information, including messages, recordings, location history, signed-in accounts, cryptocurrency wallet data, and more.

In coordinated research published Wednesday, Google, iVerify, and Lookout analyzed the malware and noted that this is the second time this month that they've spotted disparate criminal groups using a single iOS exploit kit to spy on iPhone users. The earlier exploit framework is called Coruna, and one of the earlier groups abusing Coruna - a suspected Russian espionage crew tracked as UNC6353 - has also been using DarkSword in its watering hole campaigns targeting Ukrainians.

The DarkSword exploit kit abuses six vulnerabilities: CVE-2025-31277, CVE-2025-43529, CVE-2026-20700, CVE-2025-14174, CVE-2025-43510, and CVE-2025-43520.  All six have since been patched, so be sure to update to the latest iOS release.

Apple did not respond to The Register's request for comment.

How the exploit chain works

The attack requires an iPhone user to navigate to a malicious website to trigger the exploit chain. It begins with miscreants exploiting either CVE-2025-31277 or CVE-2025-43529 – depending on the iOS version – to achieve remote code execution, according to iVerify's analysis.

Both of these bugs allow attackers to obtain arbitrary memory read/write primitives, and once they've done this, they bypass Trusted Path Read-Only (TPRO) and Pointer Authentication Codes (PAC) mitigations by exploiting CVE-2026-20700.

"This allows them to fully sidestep the SPRR and JIT Cage mitigations via thread state manipulation and achieve arbitrary code execution within the WebContent process," iVerify's Matthias Frielingsdorf and Mateusz Krzywicki wrote.

The attackers then pivot to escape the sandbox via the GPU process by abusing an Angle out-of-bounds write vulnerability (CVE-2025-14174), combined with the same PAC bypass method, and obtain arbitrary memory read/write and arbitrary function call primitives in the GPU process.

From here, the attackers target the XNU kernel through selector 1 in the AppleM2ScalerCSCDriver driver. This triggers a Copy-On-Write vulnerability (CVE-2025-43510). "This flaw is leveraged to establish arbitrary memory read/write and arbitrary function call primitives in the mediaplaybackd daemon via exposed XPC interfaces," the researchers wrote. 

Finally, the attackers abuse CVE-2025-43520 to escalate privileges in the kernel and inject in-memory JavaScript implants into other system processes to extract sensitive data from the Apple device. 

Who is using DarkSword to spy on iPhone users?

Google's research details three different groups abusing this attack chain, but also notes that "it is likely that other commercial surveillance vendors or threat actors may also be using DarkSword."

A threat cluster it tracks as UNC6748, using a Snapchat-themed website, snapshare[.]chat, has been using DarkSword to target Saudi Arabian users "multiple times throughout November 2025," the threat intel team wrote.

These attacks ultimately deployed GhostKnife, a JavaScript-based backdoor with modules for stealing different types of data, including signed-in accounts, messages, browser data, location history, and recordings.

In addition to stealing data, it downloads files from the command-and-control server, takes screenshots of the victim's device, and records audio from the device's microphone.

In another DarkSword campaign from late November 2025, Google's threat intelligence group spotted Turkish commercial surveillance vendor PARS Defense using the exploit against Turkish iOS users. Then, in January, they observed a different PARS Defense customer targeting victims in Malaysia.

These instances used a different JavaScript backdoor called GhostSaber with capabilities including device and account enumeration, file listing, data exfiltration, and remote JavaScript code execution. 

"Observed GHOSTSABER samples contain references to several commands that lack the necessary code to be executed, including some that purport to record audio from the device's microphone and send the device's current geolocation to the C2 server," the Googlers wrote. 

Additionally, Google tracked UNC6353 using DarkSword in a new watering hole campaign targeting Ukrainian users to deploy a backdoor dubbed GhostBlade. This JavaScript dataminer collects a ton of data - everything from texts, chats from messaging apps, contacts, call logs, device and account identifiers and profiles, location history, photos and their meta data, cryptocurrency wallet data, browser cookies and more - from compromised devices and then sends it to an attacker-controlled server over HTTPS. 

"Unlike GHOSTKNIFE and GHOSTSABER, GHOSTBLADE is less capable and does not support any additional modules or backdoor-like functionality; it also does not operate continuously," according to Google. 

As Lookout notes, both DarkSword and the earlier exploit kit, Coruna, steal sensitive data and cryptocurrency, indicating "both tools can be used for espionage as well as financial theft." This leads it to assess that UNC6353 "is a well-funded, well-connected but technically less sophisticated threat actor whose goals include both financial gain and espionage aligned with Russian intelligence requirements." ®