The Proliferation of DarkSword: iOS Exploit Chain Adopted by Multiple Threat Actors

Key Takeaways

• DarkSword is a full-chain iOS exploit utilizing six zero-day vulnerabilities to compromise iOS versions 18.4 through 18.7.
• The exploit chain relies entirely on pure JavaScript, bypassing the need to defeat iOS Page Protection Layer (PPL) or Secure Page Table Monitor (SPTM) mitigations.
• Multiple distinct threat actors, including UNC6748, PARS Defense, and UNC6353, have adopted DarkSword for targeted attacks.
• Post-exploitation payloads include three distinct JavaScript-based malware families: GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER.
• The malware families actively delete iOS crash logs to hide unexpected failures and cover their tracks.

Affected Systems

• Apple iOS 18.4
• Apple iOS 18.5
• Apple iOS 18.6
• Apple iOS 18.7
• Apple Safari
• WebKit

Vulnerabilities (CVEs)

• CVE-2025-31277
• CVE-2026-20700
• CVE-2025-43529
• CVE-2025-14174
• CVE-2025-43510
• CVE-2025-43520

Attack Chain

Victims are lured to decoy websites or compromised watering holes where a landing page checks session storage to prevent reinfection. An invisible IFrame loads a JavaScript loader (rce_loader.js) that fetches remote code execution exploits targeting JavaScriptCore and dyld to bypass PAC. The exploit then chains two sandbox escapes (WebContent to GPU, then GPU to mediaplaybackd) before exploiting an XNU VFS race condition for local privilege escalation. Finally, a JavaScript-based backdoor (GHOSTKNIFE, GHOSTSABER, or GHOSTBLADE) is deployed to exfiltrate sensitive device data and user communications.

Detection Availability

• YARA Rules: Yes
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No
• Platforms: YARA

The article provides YARA rules for detecting the GHOSTKNIFE, GHOSTSABER, and GHOSTBLADE backdoors, as well as file path artifacts associated with the DarkSword exploit chain implant libraries.

Detection Engineering Assessment

EDR Visibility: Low — Mobile devices, specifically iOS, have extremely limited EDR visibility compared to desktop OSs due to strict sandboxing and lack of kernel access for security tools. Network Visibility: Medium — While C2 traffic is encrypted using custom binary protocols over HTTP/HTTPS, domain and IP connections can be logged at the network perimeter. Detection Difficulty: Hard — The exploit chain runs entirely in memory via JavaScript, uses encrypted payloads, and actively deletes crash logs to hide its tracks.

Required Log Sources

• DNS Logs
• Web Proxy Logs
• Mobile Device Management (MDM) Logs

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Look for unexpected HTTP/HTTPS traffic from iOS devices to known suspicious domains or IPs associated with commercial spyware vendors.	DNS Logs, Web Proxy Logs	Command and Control	Low
Identify web traffic patterns where a device accesses a site, immediately loads an invisible iframe (frame.html), and fetches sequential JavaScript payloads (rce_loader.js, rce_worker_*.js).	Web Proxy Logs	Initial Access	Medium

Control Gaps

• Lack of deep EDR telemetry on iOS devices
• Inability to inspect encrypted custom C2 protocols
• Bypass of iOS PPL and SPTM mitigations via pure JavaScript execution

Key Behavioral Indicators

• Presence of 'uid' key in sessionStorage on suspicious landing pages
• Use of 'x-safari-https' protocol handler to force Safari execution
• Creation of '/tmp/<uuid>.<numbers>' directories on compromised devices

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Update all iOS devices to version 26.3 or later to patch the exploited vulnerabilities.
• Block known DarkSword delivery and C2 domains/IPs at the network perimeter.

Infrastructure Hardening

• Enable Apple's Lockdown Mode on devices belonging to high-risk individuals (journalists, politicians, executives).
• Implement MDM policies to enforce rapid OS updates across the organization.

User Protection

• Educate users on the risks of clicking links in unsolicited messages, such as Snapchat-themed lures.
• Advise users to restart devices periodically, which can disrupt in-memory-only implants.

Security Awareness

• Train high-risk targets on the threat of commercial spyware and watering hole attacks.
• Promote awareness of the risks associated with commercial surveillance vendors.

MITRE ATT&CK Mapping

• T1189 - Drive-by Compromise
• T1059.007 - Command and Scripting Interpreter: JavaScript
• T1068 - Exploitation for Privilege Escalation
• T1203 - Exploitation for Client Execution
• T1070.004 - Indicator Removal: File Deletion
• T1113 - Screen Capture
• T1125 - Video/Audio Capture
• T1005 - Data from Local System

Additional IOCs

• Domains:
  • sahibndn[[.]]io - DarkSword delivery domain used by PARS Defense in Turkey.
  • e5[.]malaymoil[[.]]com - DarkSword delivery domain used by PARS Defense in Malaysia.
  • sqwas[.]shapelie[[.]]com - GHOSTBLADE exfiltration server used by UNC6353.
• File Paths:
  • /tmp/<uuid>.<numbers>/STORAGE/<uuid2>.<id> - Directory structure used by GHOSTKNIFE to write exfiltrated data to disk.
  • /var/mobile/Library/Logs/CrashReporter/ - Crash log directory targeted for deletion by GHOSTKNIFE to cover its tracks.
  • /private/var/containers/Shared/SystemGroup/systemgroup.com.apple.osanalytics/DiagnosticReports/ - Crash log directory targeted for deletion by GHOSTBLADE.
  • rce_loader.js - Main exploit loader script used in the DarkSword chain.
  • frame.html - HTML file dynamically injected to load the main exploit loader.