DarkSword: Leaked iOS Zero-Click Chain Spreads from State Actors to the Wild

Google’s Threat Intelligence Group attributes DarkSword, a full-chain iOS exploit stitching together six zero-days, to likely government developers. The chain works against iOS 18.4 through 18.7 and has been used since November 2025 by commercial surveillance vendors and suspected state actors against targets in Saudi Arabia, Turkey, Malaysia, and Ukraine. Post-exploitation, operators deploy one of three implants — GHOSTBLADE, GHOSTKNIFE, or GHOSTSABER — for persistent device compromise.

The distribution pattern echoes the earlier Coruna kit: a single exploit chain shared across unrelated threat groups, including UNC6353, a suspected Russian espionage cluster that swapped Coruna for DarkSword in watering hole operations. A week after discovery, the chain leaked publicly and is now being reused beyond its original operators, lowering the bar for any actor wanting iOS-grade intrusion capability.

Apple has since shipped patches, so users on current iOS builds are no longer exposed. The episode reinforces a familiar dynamic in the offensive market — state-grade tooling rarely stays contained, and the gap between a targeted government implant and a commodity exploit is measured in days, not years.