Security researchers are sounding the alarm as the leak transforms what was once a sophisticated, state-linked offensive tool into an accessible attack kit for virtually any threat actor.
DarkSword is a full iOS exploit chain written in JavaScript, originally identified in March 2026 by Google’s Threat Intelligence Group (GTIG), alongside cybersecurity firms iVerify and Lookout.
The toolkit chains six distinct zero-day vulnerabilities to achieve complete, privileged compromise of a target iPhone, all initiated through a single browser visit to a malicious webpage.
| CVE | Exploit Module | Vulnerability Type | Zero-Day | Patched In |
|---|---|---|---|---|
| CVE-2025-31277 | rce_module.js | JIT optimization / type confusion | No | iOS 18.6 |
| CVE-2025-43529 | rce_worker_18.6.js, rce_worker_18.7.js | Use-after-free / garbage collection bug in DFG JIT layer | Yes | iOS 18.7.3, 26.2 |
| CVE-2026-20700 | rce_worker_18.4.js, rce_worker_18.6.js, rce_worker_18.7.js | Memory corruption / user-mode PAC bypass | Yes | iOS 26.3 |
| CVE-2025-14174 | sbox0_main_18.4.js, sbx0_main.js | Out-of-bounds memory access in WebGL operation | Yes | iOS 18.7.3, 26.2 |
| CVE-2025-43510 | sbx1_main.js | Memory management / copy-on-write bug | No | iOS 18.7.2, 26.1 |
| CVE-2025-43520 | pe_main.js | Kernel-mode race condition in VFS implementation | No | iOS 18.7.2, 26.1 |
The kill chain begins when Safari loads a malicious iframe embedded in a compromised site. From there, DarkSword breaks out of the WebContent sandbox, leverages WebGPU to inject code into the mediaplaybackd process, and ultimately achieves full kernel read/write access.
This kernel-level access allows the attacker to modify sandbox restrictions and reach restricted areas of the iOS filesystem — without ever requiring physical access to the device.
Among the vulnerabilities exploited is CVE-2025-43529, a garbage collection bug in the Data Flow Graph (DFG) JIT layer of JavaScriptCore, which Apple patched in iOS 18.7.3 and iOS 26.2 after GTIG disclosed it.
DarkSword was initially deployed in targeted espionage campaigns against Ukrainian citizens by a threat group tracked as UNC6353, suspected to be operating at least in part on behalf of the Russian government.
The toolkit was purpose-built for rapid, covert data exfiltration, extracting passwords, photos, WhatsApp and Telegram messages, iMessage threads, browser history, and even cryptocurrency wallet credentials before disappearing without a trace.
Lookout researchers noted that DarkSword’s time on a compromised device is likely measured in minutes, making it a classic “smash-and-grab” espionage operation.
What was previously a nation-state–grade offensive tool is now freely available online. A newer version of the DarkSword toolkit, reportedly consisting of relatively basic HTML and JavaScript files, was published to GitHub, and researchers warn it can be deployed on a malicious server within minutes.
Security hobbyist Matteyeux confirmed the threat is real and immediate, posting on X that they successfully used the leaked DarkSword sample to compromise a 6th-generation iPad mini running iPadOS 18.6.2, demonstrating that the exploit works without advanced technical expertise.
According to Apple’s own usage data, approximately one quarter of all active iPhones and iPads are still running iOS 18 or earlier — potentially hundreds of millions of vulnerable devices globally.
DarkSword specifically targets iOS versions 18.4 through 18.7, all of which remain unpatched against the full exploit chain unless upgraded to iOS 26.
Apple acknowledged the vulnerability and released an emergency security update on March 11 for devices that cannot be upgraded to iOS 26. Apple also confirmed that devices with Lockdown Mode enabled are protected from DarkSword attacks, even on outdated software.
Security experts strongly urge all iPhone and iPad users to immediately update to iOS 26 or apply the available emergency patch. Users who cannot upgrade should enable Lockdown Mode as an immediate mitigation against this now-public and weaponized exploit chain.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post DarkSword Exploit Chain That Can Hack Millions of iPhones Leaked Online appeared first on Cyber Security News.
Attackers have found a new way to push malware by weaponizing one of the most…
Fairy lights adorn the walls, and board games line the shelves. Despite its tall ceilings…
The Rockford Planning and Development Committee voted to advance an update to the city's 2040…
If there’s one thing Adi Shankar wants to impress upon fans about the upcoming second…
Marvel has announced a release date for The Punisher: One Last Kill, its upcoming one-off…
Sung Kang has “100 percent” embraced his role as an on-screen ambassador to the car…
This website uses cookies.