DarkSword iOS Exploit Chain Targets Mobile Devices Globally

DarkSword iOS Exploit Chain Targets Mobile Devices Globally

First seen 11 Jul 2026, 19:24 UTC cloud.google.comwww.lookout.com 81% similarity 78.5

Article Content

Browse articles
ThreatCluster

The Google Threat Intelligence Group has identified DarkSword, a full-chain iOS exploit affecting versions 18.4 to 18.7. This exploit leverages multiple zero-day vulnerabilities, including CVE-2025-31277 and CVE-2025-14174, to compromise devices and deploy malware families like GHOSTBLADE. DarkSword has been linked to various threat actors, including the suspected Russian group UNC6353, which has targeted users in Saudi Arabia, Turkey, Malaysia, and Ukraine since November 2025. The exploit aims to extract sensitive information, particularly from crypto wallet apps, and operates with a 'hit-and-run' approach. All vulnerabilities exploited by DarkSword were reported to Apple and patched with the release of iOS 26.3. Users are advised to update their devices or enable Lockdown Mode for enhanced security. Lookout and iVerify collaborated with GTIG on this investigation, highlighting the growing sophistication of mobile threats.

Key Points: • DarkSword exploits multiple zero-day vulnerabilities in iOS versions 18.4 to 18.7. • The exploit is linked to state-sponsored actors, specifically UNC6353, targeting sensitive data. • Users are urged to update to iOS 26.3 or enable Lockdown Mode to mitigate risks.

ThreatCluster AI

Timeline

2025-07-29
CVE-2025-31277 published
A vulnerability affecting iOS was disclosed, later exploited by DarkSword.
cloud.google.com
2025-12-12
CVE-2025-14174 published
Another vulnerability was published, contributing to the DarkSword exploit chain.
cloud.google.com
2025-12-12
CVE-2025-43510 published
Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
MITRE
2025-12-15
CVE-2025-43529 added to CISA KEV
CISA flagged the vulnerability as actively exploited in the wild and added it to the Known Exploited Vulnerabilities catalog.
CISA KEV
2026-02-11
CVE-2026-20700 published
Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
MITRE
2026-03-20
CVE-2025-31277 added to CISA KEV
CISA confirmed active exploitation of this vulnerability in the wild.
cloud.google.com
2026-03-20
CVE-2025-43520 added to CISA KEV
This vulnerability was also confirmed as actively exploited in conjunction with DarkSword.
cloud.google.com
2026-07-11
DarkSword exploit chain publicly disclosed
Google and Lookout released findings on DarkSword, detailing its impact and vulnerabilities.
cloud.google.com

Community

Browse all →