Jamf Threat Labs analyzes leaked source code of a Safari exploitation kit (DarkSword) and the impact of this disclosure on the mobile ecosystem.
Authored by: Vladimir Pazukhin and Nir Avraham
The leak of DarkSword, a government-grade iOS exploit kit first disclosed by Google Threat Intelligence in March 2026, represents a turning point in the mobile threat landscape. This is not a regular vulnerability disclosure. Instead, it is a rare opportunity to analyze the full source code of a production-grade exploitation framework — something that is almost never available outside of nation-state operators and commercial spyware vendors. DarkSword can achieve a one-click remote code execution with full sandbox escape on iOS versions 18.4 through 18.6.2, affecting all users who have not installed updates after September 15, 2025. Previously, these attacks primarily targeted journalists, politicians and executives; now, any iPhone user may be at risk, and it creates new challenges for security teams.
The leaked code clearly reveals some facts and risks which are well known in spyware development industry but usually are not discussed publicly.
Lesson one: Professionally developed spyware can finally be used by amateurs.
Spyware targeting iPhones is usually associated with top-level research, sophisticated bypasses of mitigations and professional exploit development. There is no doubt that DarkSword belongs in this league. The source code reveals extraordinary engineering: After implementing standard primitives (addrof and fakeobj), which provide memory read/write capabilities, it accurately disables the garbage collector and performs 100 carefully orchestrated steps to bypass Apple's mitigations and obtain a stable function call primitive before moving to sandbox escape.
But the same source code reveals something more significant: This is a development version of a framework without obfuscation and encryption, but with a lot of debug messages in JavaScript console.
Leftovers from previous versions:
Messages to iOS unified log:
The fact that a development version was used in offensive operations shows that it was deployed by operators who lack basic operational security skills. The evidence isn't just about mistakes — it proves that control over distribution and usage of government-grade iOS exploitation capabilities is lost.
Lesson two: Spyware can be sold without ethical boundaries.
Websites of many commercial spyware development companies have disclaimers: their products can only be sold for law enforcement purposes, only to countries that respect human rights, only for legitimate investigations. These disclaimers exist to maintain the appearance of ethical operation while operating in legal gray areas.
The DarkSword source code clearly shows this is a different case. The data collection configuration targets cryptocurrency applications, revealing financial motivation inconsistent with any law enforcement operation:
Important to note that Nicegram is listed among "Major Wallets" alongside Coinbase and Binance, the world's two largest cryptocurrency exchanges. But Nicegram isn't a wallet. It's a modified Telegram client popular among Russian-speaking users. This aligns with known information about its deployment. The framework was discovered on Ukrainian infrastructure, and deployment code contains comments in the Russian language.
Cryptocurrency theft targeting, Russian-speaking operator deployment, Russian-language artifacts in the code and Ukrainian infrastructure demonstrate systematic violations of the "law enforcement only" ethical boundaries, at least in this case.
It is important to note that the presence of Russian-language comments and Ukrainian infrastructure does not definitively attribute DarkSword to any specific nation-state. Russian is widely spoken across multiple countries, and infrastructure can be deliberately chosen to mislead attribution efforts. We present these as technical observations from the source code, not as conclusive attribution.
Lesson 3: Offensive product requires industrial-scale engineering.
It’s not a secret that government-grade spyware requires a lot of effort and costs a lot of money — now everyone can see it in the source code. The full exploit chain supports 28 models with 26 firmware versions and six releases of iOS from 18.4 to 18.6.2, which requires supporting 156 versions of firmware. Each of them has different memory layout and offsets used by exploits.
Also, there is legacy code in the privilege escalation component, which clearly demonstrates support of older iOS versions. For example offsets for XNU 23 in code below mean support of iOS 17.
That means that the spyware vendor needs to purchase and maintain hundreds of devices and automate testing on them.
Another important aspect — Apple constantly improves protection of their devices and their offensive product needs to evolve as well. There are a lot of traces in the code that show urgent changes. There are two RCE exploits for different versions of iOS, and we can reasonably assume that there are others that became outdated after Apple introduced MIG (Mach Interface Generator) message filtering in iOS 18.4 to restrict IPC (Inter-Process Communication) manipulation from sandboxed processes.
As already noted by Google Threat Intelligence team, the code includes a commented-out function named startSandworm that was replaced with mpd_kernel_base(). The mpd_prefix refers to mediaplaybackd, the system daemon where the kernel exploit executes. This suggests that “Sandworm” was likely an internal codename for a different kernel exploit, probably associated with the iOS 17 (XNU 23) offsets present in the code.
The code clearly shows that developers do not have too much time for code review and refactoring and just implemented quick solutions.
The industry has very high standards to exploit reliability (90%+ success rate); we see in the code attempts to increase reliability by retries.
In our internal tests, the exploit demonstrates relatively low success rate, less than 50%, but we cannot exclude that there is a more reliable version of this chain in the wild.
Conclusion
The DarkSword leak teaches us three critical lessons about the state of mobile threats. First, government-grade exploit capabilities are no longer confined to sophisticated operators — the availability of production-ready source code with detailed debug output lowers the barrier for any skilled developer to replicate these attacks. Second, the ethical guardrails claimed by the commercial spyware industry are demonstrably hollow, as evidenced by a kit designed for cryptocurrency theft rather than law enforcement. Third, the industrial scale of engineering required to maintain such a kit — hundreds of device and firmware combinations, constant adaptation to new mitigations — shows both the level of investment behind these threats and the pressure points where defensive improvements by Apple are forcing costly responses from attackers.
Organizations should ensure that devices are consistently updated, actively monitored and protected against such threats, regardless of the user's role. The era in which only high-profile targets need to worry about nation-state-level exploits is over.
References
The Proliferation of DarkSword: iOS Exploit Chain Adopted by Multiple Threat Actors, Google
Read the latest research from Jamf Threat Labs.