Comment by jryio

4 days ago

Here is the Google Research group's writeup

https://cloud.google.com/blog/topics/threat-intelligence/dar...

Relevant forward:

> GTIG has identified several different users of the DarkSword exploit chain dating back to November 2025. In addition to the case studies on DarkSword usage documented in this blog post, we assess it is likely that other commercial surveillance vendors or threat actors may also be using DarkSword.

> Google Threat Intelligence Group (GTIG) has identified a new iOS full-chain exploit that leveraged multiple zero-day vulnerabilities to fully compromise devices. Based on toolmarks in recovered payloads, we believe the exploit chain to be called DarkSword. Since at least November 2025, GTIG has observed multiple commercial surveillance vendors and suspected state-sponsored actors utilizing DarkSword in distinct campaigns. These threat actors have deployed the exploit chain against targets in Saudi Arabia, Turkey, Malaysia, and Ukraine.

> DarkSword supports iOS versions 18.4 through 18.7 and utilizes six different vulnerabilities to deploy final-stage payloads. GTIG has identified three distinct malware families deployed following a successful DarkSword compromise: GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER. The proliferation of this single exploit chain across disparate threat actors mirrors the previously discovered Coruna iOS exploit kit. Notably, UNC6353, a suspected Russian espionage group previously observed using Coruna, has recently incorporated DarkSword into their watering hole campaigns.

12 comments

jryio

alecco 4 days ago

This should be the post, not Wired's blogspam.

TacticalCoder 4 days ago

Also of note, the exploit relied on:

    - CVE-2025-31277 or CVE-2025-43529
    - CVE-2026-20700
    - CVE-2025-14714
    - CVE-2025-43510
    - CVE-2025-43520

Any single of these patched and the exploit was not functional anymore. After a collaboration between the Google Threat Intelligence Group and Apple all of these have been patched.

echelon_musk 4 days ago

I wonder if that means 18.7.4 is vulnerable for all the Liquid Glass haters?

lynndotpy 4 days ago

It's vulnerable, but iOS 18 since iOS 18.7.3 is only available for the 2018 iPhone XS and XR.

bix6 4 days ago

I know everyone hates liquid glass but isn’t that better security wise than being on an iOS that’s 8 versions behind?

jryio 4 days ago
There are not 8 major versions between iOS 18 and iOS 26. Apple skipped the monotonously increasing version numbering system since iOS 1 during WDDC 2025 to adopt a year suffix based versioning system.
iOS 17, then iOS 18, then iOS 26, then iOS 27.
You're not the only party confused.
- bix6 4 days ago
  
  Haha thanks! Good to know they are on years now. Back to random version numbers in 5 year? :p
  
  3 replies →
- skygazer 4 days ago
  
  Edit: Oop, I misread! Right, yes, the change up was arguably not entirely boring. Some people were excited at least.
  Originally: To be the annoying pedant, version numbers did still monotonically increase, even with the gap, because each version is >= to the last. The mono means a single direction, not a step size of one.
  
  1 reply →