DarkSword: Advanced iOS Exploit Kit Targets iPhones in Four Countries
Since November 2025, a sophisticated iOS exploit kit named DarkSword has been deployed by commercial surveillance vendors and state-sponsored threat actors to extract sensitive data from iPhone users across four countries. The attack leverages six vulnerabilities, including four zero-days, to fully compromise devices running iOS 18.4 to 18.7.
The exploit chain begins with a remote code execution (RCE) vulnerability in JavaScriptCore, followed by sandbox escapes and local privilege escalation. The final payload grants attackers kernel-level access, enabling deep system control. DarkSword’s multi-stage approach highlights the growing complexity of iOS-targeted attacks, challenging the long-held assumption of iPhone security.
The campaign underscores the evolving tactics of advanced threat actors, who continue to refine their methods to bypass Apple’s defenses. No further details on the affected countries or specific forensic artifacts have been disclosed.
Source: https://www.linkedin.com/feed/update/urn:li:activity:7440085285197221888
Apple cybersecurity rating report: https://www.rankiteo.com/company/apple
"id": "APP1773858257",
"linkid": "apple",
"type": "Vulnerability",
"date": "11/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'location': ['Four unspecified countries'],
'type': 'Individual iPhone users'}],
'attack_vector': 'Remote Code Execution (RCE) in JavaScriptCore',
'data_breach': {'data_exfiltration': 'Yes',
'personally_identifiable_information': 'Likely',
'sensitivity_of_data': 'High',
'type_of_data_compromised': 'Sensitive data'},
'date_detected': '2025-11-01',
'description': 'Since November 2025, a sophisticated iOS exploit kit named '
'DarkSword has been deployed by commercial surveillance '
'vendors and state-sponsored threat actors to extract '
'sensitive data from iPhone users across four countries. The '
'attack leverages six vulnerabilities, including four '
'zero-days, to fully compromise devices running iOS 18.4 to '
'18.7. The exploit chain begins with a remote code execution '
'(RCE) vulnerability in JavaScriptCore, followed by sandbox '
'escapes and local privilege escalation. The final payload '
'grants attackers kernel-level access, enabling deep system '
'control.',
'impact': {'data_compromised': 'Sensitive data extracted from iPhones',
'identity_theft_risk': 'High',
'systems_affected': 'iPhones running iOS 18.4 to 18.7'},
'lessons_learned': 'The incident highlights the growing complexity of '
'iOS-targeted attacks and challenges the long-held '
'assumption of iPhone security.',
'motivation': 'Cyber espionage / Surveillance',
'post_incident_analysis': {'root_causes': 'Exploitation of six '
'vulnerabilities, including four '
'zero-days, in iOS 18.4 to 18.7'},
'references': [{'source': 'Cyber Incident Description'}],
'threat_actor': ['Commercial surveillance vendors',
'State-sponsored threat actors'],
'title': 'DarkSword: Advanced iOS Exploit Kit Targets iPhones in Four '
'Countries',
'type': 'Exploit Kit / Cyber Espionage',
'vulnerability_exploited': ['Six vulnerabilities',
'Four zero-days',
'Sandbox escapes',
'Local privilege escalation']}