- Here is the Google Research group's writeup
https://cloud.google.com/blog/topics/threat-intelligence/dar...
Relevant forward:
> GTIG has identified several different users of the DarkSword exploit chain dating back to November 2025. In addition to the case studies on DarkSword usage documented in this blog post, we assess it is likely that other commercial surveillance vendors or threat actors may also be using DarkSword.
> Google Threat Intelligence Group (GTIG) has identified a new iOS full-chain exploit that leveraged multiple zero-day vulnerabilities to fully compromise devices. Based on toolmarks in recovered payloads, we believe the exploit chain to be called DarkSword. Since at least November 2025, GTIG has observed multiple commercial surveillance vendors and suspected state-sponsored actors utilizing DarkSword in distinct campaigns. These threat actors have deployed the exploit chain against targets in Saudi Arabia, Turkey, Malaysia, and Ukraine.
> DarkSword supports iOS versions 18.4 through 18.7 and utilizes six different vulnerabilities to deploy final-stage payloads. GTIG has identified three distinct malware families deployed following a successful DarkSword compromise: GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER. The proliferation of this single exploit chain across disparate threat actors mirrors the previously discovered Coruna iOS exploit kit. Notably, UNC6353, a suspected Russian espionage group previously observed using Coruna, has recently incorporated DarkSword into their watering hole campaigns.
by eugenekolo
0 subcomment
- It's actually a fascinating find by Lookout, iVerify, and Google. This is a multi million dollar exploit chain sold to various buyers.
Complete full chain 1-click exploit from Safari to complete device take over exfiltrating personal data, passwords, and crypto wallets.
https://www.lookout.com/threat-intelligence/article/darkswor...
https://iverify.io/blog/darksword-ios-exploit-kit-explained
https://cloud.google.com/blog/topics/threat-intelligence/dar...
- I'm really hoping Apple backtracks on its refusal to update the 18.x line for phones that are compatible with 26. At least provide a security update.
- I wish I had a better sense of how these zero-click vulnerabilities work so I could get a sense of how to protect myself from them (you know, without giving in to Liquid Glass). Can they be blocked by an ad blocker? Are they blocked by any extant ad blockers? What about “Lockdown Mode”?
- >We also identified additional code added when the actor attempts to infect a user using Chrome, where the x-safari-https protocol handler is used to open the page in Safari (Figure 4). This suggests that UNC6748 didn't have an exploit chain for Chrome at the time of this activity.
Thanks Apple for allowing the overriding of the user's default browser.
- https://support.apple.com/en-us/126604
iOS 26.3.1 (a), iPadOS 26.3.1 (a), macOS 26.3.1 (a), macOS 26.3.2 (a)
Released March 17, 2026
WebKit
Available for: iOS 26.3.1, iPadOS 26.3.1, macOS 26.3.1, macOS 26.3.2
Impact: Processing maliciously crafted web content may bypass Same Origin Policy
Description: A cross-origin issue in the Navigation API was addressed with improved input validation.
WebKit Bugzilla: 306050
CVE-2026-20643: Thomas Espach
by SayThatSh
1 subcomments
- All these exploits and we still can't get proper jailbreaks on new iOS versions :( I moved away from Android years ago in the interest of digital privacy so it's just wonderful to hear security isn't as tight as I'd hoped haha.. Then again I guess those like myself staying on the bleeding edge version-wise aren't affected.
by joezydeco
4 subcomments
- I got an alert this morning for an iOS update numbered 26.3.1(a).
(a)? This must be really bad.
by throwaway2016a
0 subcomment
- I was literally just attending a course on "innovation" and the topic of Apple vs Android was covered. Interestingly enough, a majority of students commenting cited iOS "security" as a core value proposition. As an Android user, however, I know there are a lot of CVEs in volume but in terms of severity, when an iOS issue happens it appears to generally be much more severe.
- I'd like a security patch for 18. I have no desire to upgrade to iOS Vista or whatever it is we're calling it
- Welp, I've been holding on out that liquid glass crap as long possible. Guess my phone is just going to suck now.
by walterbell
1 subcomments
- Is the full exploit chain functional on iPhone 17 MIE/EMTE silicon with Lockdown Mode enabled?
by kevincloudsec
0 subcomment
- the supply chain for offensive tooling is now indistinguishable from the supply chain for malware. take care of your security team!
by seemizou92
0 subcomment
- [dead]
by TMille76489
0 subcomment
- [dead]
by davidliu847386
0 subcomment
- [flagged]
- The interesting angle here is what this means for passes and
credentials stored in Apple Wallet. If device compromise is
this accessible, the assumption that Wallet passes are isolated
from the rest of the device needs more scrutiny. Apple's security
model relies heavily on the secure enclave but a tool like this
changes the threat surface significantly.
Hacker News