On March 23, 2026, a government-grade iOS exploit kit called "DarkSword" was publicly leaked on GitHub, which is the world's largest code-hosting platform. This single iPhone hacking tool has put an estimated 221 million iPhones and iPads at immediate risk. The leak was first reported by 'TechCrunch' journalists "Lorenzo Franceschi-Bicchierai" and "Zack Whittaker," and was rapidly confirmed and analyzed by three of the most respected names in mobile cybersecurity: Google's Threat Intelligence Group (GTIG), mobile security firm iVerify, and endpoint security company Lookout.
A tool that was once a closely-guarded spyware tool used by intelligence agencies in Russia, Turkey, Saudi Arabia, and Malaysia is now freely available for anyone to download, copy, and deploy, no hacking expertise required. The joint investigation found that DarkSword had already been actively deployed in "watering hole attacks," where legitimate websites are silently compromised to serve malicious code β targeting iPhone users in Ukraine, Turkey, Malaysia, and Saudi Arabia since at least November 2025.
How Does DarkSword Work?
DarkSword is a full-chain iOS exploit kit, meaning it chains multiple vulnerabilities in sequence to fully compromise a device. The victim doesn't need to click anything suspicious; they simply visit a legitimate website that has been silently compromised by attackers. How? A hidden script on that page loads DarkSword's payload from a remote server without any visible indication.
DarkSword exploits a JavaScript engine flaw in "Apple's WebKit," which is the engine behind Safari. For devices running iOS below 18.6, it uses CVE-2025-31277, a JIT (Just-In-Time compilation) type confusion bug. For iOS 18.6β18.7, it uses CVE-2025-43529, a garbage collection flaw. Both allow the attacker to execute arbitrary code inside the Safari browser process.
The worst part is that Apple uses "Pointer Authentication Codes" (PAC) as a security layer to prevent code injection. But DarkSword bypasses this using CVE-2026-20700, a flaw in Apple's dynamic linker (dyld). DarkSword escapes the WebContent sandbox by pivoting into the GPU process using CVE-2025-14174 and CVE-2025-43510.
Using CVE-2025-43520, DarkSword achieves arbitrary read/write access to the device's kernel, gaining the highest level of control possible. Once inside, the kit drops a malware implant called "GHOSTBLADE" (or GHOSTSABER in PARS Defense variants), which executes a rapid "smash-and-grab" data extraction over HTTP, then disengages, leaving almost no trace.
Who Was Behind DarkSword Before the Leak?
DarkSword was a tool of nation-state cyberattacks and commercial surveillance vendors. Google's GTIG documented its use by:
1) UNC6353, which is a suspected Russian espionage group that deployed DarkSword in watering hole attacks on Ukrainian websites, active from December 2025 through March 2026.
2) UNC6748, which is an another threat actor linked to Russian intelligence infrastructure.
3) PARS Defense, which is a Turkish commercial surveillance vendor that sold DarkSword as part of a spyware product to clients in Turkey and Malaysia.
Additional campaigns targeted entities in Saudi Arabia, Malaysia, Ukraine, and Turkey. The US Cybersecurity and Infrastructure Security Agency (CISA) has since added the DarkSword-exploited vulnerabilities to its Known "Exploited Vulnerabilities" catalog, mandating federal agencies to patch immediately. Google has also added known DarkSword delivery domains to its Safe Browsing database, meaning Safari users may receive warnings before visiting compromised sites.
What Personal Data Is at Risk?
Once GHOSTBLADE is deployed on a victim's device, it conducts a rapid, comprehensive extraction of sensitive personal data. According to analysis by iVerify and Lookout, the stolen data includes: text messages (iMessages and SMS), Wi-Fi passwords, call history, real-time location data, browser history, SIM card information, cryptocurrency wallet credentials, device fingerprint and more.
According to iVerify's analysis of iOS version market share data, approximately 14.2% of all active iPhones, which is an estimated 221.5 million devices, are running iOS versions between 18.4 and 18.6.2, which remain vulnerable to the full DarkSword chain.
Protect Your iPhone Right Now:
Update to the latest iOS version immediately. You can also enable "Lockdown Mode" if you cannot update it. Then, check if your device is infected using iVerify Basic. You have to avoid unknown or suspicious websites.
Anyways, what are your thoughts on this leak? What version of iPhone you are using currently? Let me know all your answers in the comments, where you can also provide the latest news so I can make a breakdown of it.