DarkSword: Google Reveals Another Government-Grade iPhone Exploit Chain

Just weeks after the Coruna disclosure shook the iOS security community, Google's Threat Intelligence Group has dropped another bombshell. DarkSword, a newly revealed exploit chain, has been actively targeting iPhones running outdated iOS versions — and the attackers include both commercial surveillance vendors and suspected state-sponsored actors.

What Is DarkSword?

DarkSword is a multi-stage exploit chain that works similarly to the Coruna attack disclosed earlier this month. It delivers its payload through compromised or decoy websites, chaining multiple iOS vulnerabilities together to achieve full kernel-level compromise of the target device. Once inside, it deploys payloads with names that sound like they belong in a spy thriller: GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER.

According to Google's report, published in coordination with security firms Lookout and iVerify, the exploit chain has been deployed against targets in Saudi Arabia, Turkey, Malaysia, and Ukraine. The geographic spread suggests multiple independent campaigns by different threat actors, all leveraging the same underlying vulnerability chain.

The Technical Details

DarkSword chains at least six CVEs to achieve its full compromise. The vulnerabilities span the kernel, WebKit, and other iOS subsystems. Most were patched between iOS 18.6 and iOS 26.3, but the critical issue is that millions of devices running older iOS versions remain vulnerable.

The CVEs include vulnerabilities patched as recently as iOS 26.3 and as far back as iOS 18.6, meaning the exploit chain has likely been in active use for months before its public disclosure. This is the nature of the commercial surveillance industry — exploits are discovered, weaponized, and sold long before the public or even the vendor becomes aware.

Apple's Response

Apple has taken the unusual step of publishing a dedicated support document titled 'Update iOS to protect your iPhone from web attacks.' The document explicitly urges users on older iOS versions to update immediately and notes that Apple Safe Browsing in Safari blocks the malicious domains identified in these attacks by default.

For devices that can run current iOS versions (iOS 15 through iOS 26), Apple says the latest updates already include protections. The company also released iOS 16.7.15 and iOS 15.8.7 earlier this month to patch the Coruna vulnerabilities, and those same updates appear to address DarkSword as well.

For users stuck on iOS 13 or iOS 14, Apple recommends updating to iOS 15 to receive protections, noting that additional alerts will push critical security updates in the coming days. As a last resort, Apple suggests enabling Lockdown Mode.

The Bigger Picture

DarkSword and Coruna arriving back-to-back paints a concerning picture of the mobile exploit landscape. These aren't hypothetical threats or proof-of-concept demonstrations. They're production-grade attack tools being actively used against real targets by sophisticated adversaries.

The commercial surveillance industry — companies like NSO Group, Intellexa, and others — continues to discover and weaponize iOS vulnerabilities at a pace that challenges even Apple's substantial security resources. Each disclosed exploit chain likely represents just a fraction of what's actually deployed in the wild.

Key Takeaways

• DarkSword is a newly disclosed iOS exploit chain used by surveillance vendors and state-sponsored actors against targets in Saudi Arabia, Turkey, Malaysia, and Ukraine
• It chains six CVEs to achieve full kernel-level compromise through compromised websites, deploying payloads called GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER
• All vulnerabilities have been patched in current iOS versions — users on iOS 15 through iOS 26 with the latest updates are protected
• Apple published a rare dedicated support document urging users to update immediately
• The disclosure comes just weeks after the similar Coruna exploit chain was revealed, suggesting a thriving market for iOS zero-days

Our Take

Two major iOS exploit chain disclosures in three weeks tells you everything you need to know about the state of mobile security in 2026. The good news is that Apple patches these vulnerabilities relatively quickly once they're reported. The bad news is that the window between weaponization and patching can be months or even years, during which real people in vulnerable situations — journalists, activists, dissidents — are being targeted. The advice is simple but bears repeating: update your devices. Every iOS update you skip is a window you leave open. And if you're in a position where you might be targeted by state-level adversaries, Lockdown Mode isn't paranoia — it's prudence. Apple deserves credit for the unusual step of publishing a plain-language support document about these threats. Security advisories buried in CVE databases don't reach the people who need them most. More of this, please.