The **Google Threat Intelligence Group (GTIG)** uncovered **DarkSword**, a full-chain exploit targeting iOS devices. GTIG assesses that **DarkSword** was likely designed for government use, given its sophistication. >Google Threat Intelligence Group (GTIG) has identified a new iOS full-chain exploit that leveraged multiple zero-day vulnerabilities to fully compromise devices. Based on toolmarks in recovered payloads, we believe the exploit chain to be called DarkSword. Since at least November 2025, GTIG has observed multiple commercial surveillance vendors and suspected state-sponsored actors utilizing DarkSword in distinct campaigns. These threat actors have deployed the exploit chain against targets in Saudi Arabia, Turkey, Malaysia, and Ukraine. **DarkSword** supports iOS versions 18.4 through 18.7 and leverages six different vulnerabilities to deploy final-stage payloads. GTIG has identified three distinct malware families deployed post-compromise: **GHOSTBLADE**, **GHOSTKNIFE**, and **GHOSTSABER**. The distribution of this exploit chain across various threat actors mirrors the previously discovered **Coruna iOS** exploit kit. Notably, **UNC6353**, a suspected Russian espionage group with prior ties to **Coruna**, has recently integrated **DarkSword** into its watering hole attacks. ## Leak and Broadening Threat Unfortunately, a version of **DarkSword** was leaked online a week after its initial discovery. This leak dramatically increases the potential for broader exploitation. ## Mitigation While the initial discovery was a month ago, ensuring your devices are up-to-date with the latest security patches remains the best defense against **DarkSword** and similar threats.