DarkSword IOS Exploit Kit: Capabilities, Limitations, And Protection

On March 18, 2026, Google Threat Intelligence, iVerify, and Lookout jointly disclosed an iOS exploit kit called DarkSword. It affects iPhones running iOS 18.4 through 18.7 – an estimated 270 million devices worldwide, according to iVerify. Five days later, the full exploit code was leaked on GitHub. Here is what DarkSword means for iPhone users, what it can do, what it cannot do, and why it is not a jailbreak.

What Is DarkSword?

DarkSword is not a single exploit but a complete attack kit – written entirely in JavaScript. It chains six separate vulnerabilities, three of them zero-days, into a seamless attack chain: from the first browser contact all the way to full device takeover at the kernel level.

What makes it particularly dangerous: the attack is delivered via manipulated websites. The victim simply has to open a compromised webpage in Safari – no clicking a link, no download, no confirmation. The page loads, the exploit runs, and within seconds data is being exfiltrated.

Who Is Behind It?

The original developer of DarkSword has not been publicly identified. Google’s analysis suggests a commercial exploit developer who sold or licensed the kit to multiple customers. At least three different actors have deployed DarkSword:

UNC6353 – a suspected Russian espionage group that has been targeting Ukrainian individuals since December 2025 through watering-hole attacks (compromised websites)
PARS Defense – a Turkish surveillance technology vendor that deployed the kit against targets in Turkey and Malaysia
UNC6748 – an unidentified actor that targeted users in Saudi Arabia through a fake Snapchat website

DarkSword is not connected to NSO Group (Pegasus) or other known spyware vendors. It is a standalone product from a previously unknown exploit broker.

What DarkSword Can Do: Capabilities in Detail

Once an iPhone is compromised, DarkSword can access virtually all personal data. The documented capabilities include:

Communications

SMS and iMessage conversations
Telegram and WhatsApp chat histories
Email content

Credentials and Accounts

Usernames and passwords from the Keychain
Wi-Fi configurations and passwords
Safari browsing history and cookies

Cryptocurrency

DarkSword specifically targets over 13 crypto platforms, including Coinbase, Binance, Kraken, MetaMask, and Ledger. Exchange credentials and wallet keys are stolen.

Personal Data

Photos and their metadata
Contacts and call history
Location history
Calendar, Notes, and Health data
iCloud Drive files
List of all installed apps

Surveillance

Screenshots
Audio recordings
File system access and arbitrary file downloads

In short: DarkSword can read virtually everything stored on the iPhone.

Why DarkSword Is Not a Jailbreak

Despite the deep system access, DarkSword is fundamentally different from a jailbreak. This is an important distinction to understand.

A jailbreak permanently modifies the operating system. It disables security mechanisms, installs a package manager (like Cydia), and allows unsigned apps to be installed and the system to be customized. The device remains permanently altered after a jailbreak.

DarkSword works fundamentally differently:

No permanent system modification: DarkSword neither modifies the system partition nor installs persistent software. After stealing data, the kit cleans up after itself and deletes all traces.
No unsigned app installation: It is not possible to install custom apps or tweaks via DarkSword. The attack runs entirely through JavaScript in hijacked system processes.
No PPL/SPTM bypass: DarkSword deliberately avoids bypassing the Page Protection Layer (PPL) and Secure Page Table Monitor (SPTM) – the iOS protections that prevent unsigned native code from executing. This is exactly what would be necessary for a jailbreak.
No persistence: The entire operation – from exploit to data exfiltration to cleanup – takes seconds to a few minutes. After that, the kit is gone. A device restart removes any trace.
Limited version window: DarkSword only works on iOS 18.4 through 18.7. A jailbreak typically aims for broad version support.

Put simply: DarkSword is a surgical break-in tool that strikes fast and disappears. A jailbreak is a permanent reconstruction of the security system. DarkSword steals data – it does not open the iPhone for its owner.

How the Attack Works Technically

DarkSword chains six vulnerabilities together, three of which were zero-days at the time of exploitation (meaning unknown to Apple):

Step 1 – Code execution in the browser: Two vulnerabilities in JavaScriptCore (CVE-2025-31277 and CVE-2025-43529) allow arbitrary code execution within the Safari process when loading a webpage.
Step 2 – Bypass security mechanisms: A vulnerability in dyld (CVE-2026-20700) bypasses Pointer Authentication Codes (PAC) and additional protections such as TPRO and SPRR.
Step 3 – Sandbox escape: A vulnerability in ANGLE/WebGL (CVE-2025-14174) allows the exploit to break out of Safari’s sandbox into the GPU process.
Step 4 – Gain system privileges: Two kernel vulnerabilities (CVE-2025-43510 and CVE-2025-43520) provide full read and write access to kernel memory.
Step 5 – Exfiltrate data: With kernel privileges, DarkSword injects its payload into Springboard (the home screen process) and accesses all data.

The entire chain is written in JavaScript – an architectural choice that allows the kit to bypass certain hardware protections that only apply to native binary code.

How Many Devices Are Affected?

DarkSword affects iPhones running iOS 18.4 through 18.7. According to iVerify, up to 270 million iPhones were running vulnerable iOS versions at the time of disclosure. Other estimates point to around 221 million devices – approximately 14 percent of all active iOS devices worldwide.

The first known campaign began in November 2025. At that time, the affected iOS versions were current, meaning a significantly larger share of iPhone users were vulnerable than today.

The situation escalated on March 23, 2026, when the full exploit code was published on GitHub. According to iVerify co-founder Matthias Frielingsdorf, the exploits are “way too easy to repurpose” – anyone with basic web hosting knowledge can deploy them within hours.

Apple Has Patched – But Incrementally

Apple has fixed all six vulnerabilities, though over a period of several months. In its official security advisories, Apple describes the three zero-days as vulnerabilities that were exploited “in an extremely sophisticated attack against specific targeted individuals.”

July 2025 – iOS 18.6: CVE-2025-31277 (JavaScriptCore) patched
November 2025 – iOS 18.7.2 / iOS 26.1: CVE-2025-43510 and CVE-2025-43520 (Kernel) patched
December 2025 – iOS 18.7.3 / iOS 26.2: CVE-2025-43529 (JavaScriptCore) and CVE-2025-14174 (ANGLE) patched
February 2026 – iOS 26.3: CVE-2026-20700 (dyld PAC bypass) patched – the last zero-day

To be fully protected, iOS 26.3 or later must be installed. Apple additionally recommends enabling Lockdown Mode for individuals who consider themselves potential targets of sophisticated attacks.

What You Should Do Now

Update iOS immediately: Check under Settings → General → Software Update whether your device is up to date. iOS 26.3 or later closes all DarkSword vulnerabilities.
Enable Lockdown Mode: For individuals in exposed positions (executives, politicians, journalists), Lockdown Mode under Settings → Privacy & Security provides additional protection.
Check older devices: iPhones that can no longer receive iOS 26 should be updated to at least iOS 18.7.3. Apple also released backports for iOS 15 and 16 in March 2026.
Monitor corporate devices: Especially in companies with BYOD policies (Bring Your Own Device), verify whether employees are running outdated iOS versions.

How Zerberos Can Help

Mobile devices are often the blind spot in security strategies. We help organizations systematically address this area:

Risk Assessment: We analyze your complete attack surface – including mobile devices, BYOD policies, and configuration standards.
Social Engineering Tests: DarkSword is distributed via compromised websites. We test whether your employees fall for such attacks.
Security Roadmap: Structured planning that includes mobile device management and patch strategies for corporate devices.

Your organization’s security does not end at the office laptop. Contact us for an assessment of your mobile security posture.