DarkSword iOS Exploit: The Zero-Click iPhone Hack Explained

Rania is a compliance officer at a Dubai fintech firm. On a Tuesday morning she opened Safari on her iPhone, clicked a link sent by a colleague on Slack — a news article about a regulatory update. The page loaded normally. She read it, put her phone down, and went back to work.

She had no idea that in the 11 seconds it took that page to load, an attacker had read every message on her phone, copied her crypto wallet keys, extracted her saved passwords, and deleted every trace they were ever there. Her phone looked completely normal. Her antivirus showed nothing. Her IT team saw nothing. The attacker was already gone.

This is not a hypothetical. This is how DarkSword works — a real iOS exploit chain confirmed by Google's Threat Intelligence Group, Lookout, and iVerify on March 18, 2026. It has been silently compromising iPhones since November 2025.

Root Cause — How a Webpage Takes Over Your Phone

To understand DarkSword, picture your iPhone as an office building with six security checkpoints between the lobby and the CEO's office. Each checkpoint has its own lock. Normally, even if someone sneaks past the front door, they can't reach the executive floor — they still have five more locked doors to defeat.

DarkSword has a key for each door. Six vulnerabilities, chained in sequence, each one unlocking access to the next checkpoint. By the end of the chain, the attacker reaches the CEO's office — the iPhone's kernel, the master controller of everything the device does. From there, nothing is off-limits.

What makes this especially alarming is that it starts with the most routine thing imaginable: your browser loading a webpage. You don't tap anything suspicious. You don't download anything. The attack begins and ends while the page is simply rendering on your screen.

DarkSword takes a hit-and-run approach — collecting and exfiltrating data within seconds or minutes, then cleaning up and leaving. By the time you put your phone down, the attacker has everything and the evidence is gone. Your phone looks completely normal because the malware made sure of it.

The Exploit Chain — Six Doors, One Visit

Door 1 — Getting inside Safari
CVE-2025-31277 exploits a flaw in how Safari's JavaScript engine speeds up code execution. The attacker crafts a webpage that triggers a memory corruption bug — Safari writes data where it shouldn't. This gives the attacker their first foothold: code running inside the browser.

Door 2 — Breaking Apple's tamper seal
Apple uses a hardware protection called Pointer Authentication Codes (PAC) — think of it as a wax seal stamped on every piece of code. If anything tampers with the code, the seal breaks and the phone refuses to run it. CVE-2026-20700 exploits a flaw in dyld — the system that loads apps — to forge that seal. We covered this flaw in depth when Apple patched it in February: The Apple dyld Zero-Day: CVE-2026-20700 Deep Dive. DarkSword now uses it as step two of a six-step chain.

Door 3 — Escaping the browser
Safari runs in a sandbox — an isolated container so that even if a malicious page runs code, it can't reach the rest of your phone. CVE-2025-14174 exploits a flaw in the graphics rendering layer to escape that container and inject into the GPU process — a more privileged area of the phone.

Door 4 — Reaching trusted system territory
From the GPU process, CVE-2025-43510 is used to inject into mediaplaybackd — a trusted Apple system service that handles media on your device. The attacker is now inside the phone's trusted process space, not just the isolated browser area.

Door 5 — Full kernel control
CVE-2025-43520 escalates privileges from the system process to full kernel access. The kernel is the master controller of every function on the iPhone. With kernel access, there is no file, no message, no password the attacker cannot read.

Door 6 — Steal everything, disappear
The backdoor payload (GHOSTBLADE being the most common) extracts iMessages, WhatsApp, Telegram, email, contacts, photos, location history, browser history, Keychain passwords, and crypto wallet data. Everything is encrypted and sent to the attacker's server. Then all temporary files are deleted. The attack leaves no trace on the device — except in Safari's browser history database, which iVerify confirmed the malware does not clean up.

Why This Is Bigger Than One Attack

DarkSword is not controlled by one group. It is a product — being sold commercially to multiple buyers. The Russian state-linked group UNC6353 used it to target Ukrainian civilians through compromised government websites. The Turkish surveillance vendor PARS Defense sold it to at least two different customers across Malaysia and Turkey. Researchers found evidence that AI was used to write parts of the malware code — attackers are using the same AI tools that defenders use, to build exploits faster.

This matters because it means the tool will spread. What starts as a precision weapon against journalists and government officials becomes available to anyone who can pay. The economics of sophisticated iPhone exploitation have fundamentally changed.

The connection to the broader attack pattern we've been tracking this month is direct. DarkSword steals the Keychain — every saved password and authentication token on the device. That stolen identity is then exactly what the Ghost AitM campaign uses to bypass MFA and take over fintech accounts:

→ The Ghost Attack: How Hackers Are Stealing Indian Fintech Sessions After MFA Already Passed

And the browser-as-entry-point is identical to the Chrome zero-days we covered last week — DarkSword is that same threat logic applied to mobile:

→ Chrome Zero-Day Alert: CVE-2026-3909 & CVE-2026-3910 Actively Exploited

MITRE ATT&CK Mapping

Indicators of Compromise (IOCs)

# DarkSword iOS — Detection Indicators

# CVE patch status — confirm all six are applied
CVE-2025-31277  — JavaScriptCore JIT (patched iOS 18.6)
CVE-2025-43529  — JavaScriptCore GC bug (patched iOS 18.7.3 / 26.2)
CVE-2026-20700  — dyld PAC bypass (patched iOS 26.3 — zero-day)
CVE-2025-14174  — ANGLE graphics OOB write (patched iOS 18.6)
CVE-2025-43510  — XNU kernel copy-on-write (patched iOS 18.7.3)
CVE-2025-43520  — iOS kernel memory corruption (patched iOS 18.7.3)

# Device behavioural indicators
Alert: Unexpected battery drain immediately after web browsing session
Alert: Safari or WebKit process crashes (com.apple.WebKit.WebContent,
  com.apple.WebKit.GPU) — DarkSword restarts on failed exploit stages
Alert: Elevated CPU in mediaplaybackd outside any media playback activity

# Network indicators during active attack window
Alert: Encrypted outbound HTTPS burst from iOS device within seconds
  of visiting external website — to non-Apple, non-CDN destination
Alert: ECDH + AES encrypted C2 traffic from mobile device
  to unknown IP not matching any installed app

# MDM / enterprise fleet
Alert: Any enrolled device below iOS 18.7.6 or 26.3.1
  — quarantine from corporate resources until updated
Alert: Corporate resource access from unpatched iOS version

# Forensic detection
Use iVerify Basic (free until May 2026) — scan for active infections
Use MVT (Mobile Verification Toolkit) — check Safari history database
  (DarkSword does NOT clean Safari history — delivery domains visible)

SOC Alert Priorities

Alert Priority 1 — Enforce iOS 18.7.6 or 26.3.1 across your entire mobile fleet today: Any device below this version is vulnerable to a zero-click attack that leaves no trace. Through your MDM, identify every unpatched device immediately. Devices that cannot update should be quarantined from corporate email, VPN, and any system that handles sensitive data. This is not a routine patch cycle — it is an active exploitation scenario.

Alert Priority 2 — Enable Lockdown Mode for all high-risk roles: Lockdown Mode blocks the WebGPU and JIT-compilation paths DarkSword relies on — making the entire chain non-functional on protected devices. Finance, legal, executive, IT administration, journalism — anyone whose phone holds data that would be catastrophic if stolen. Settings → Privacy & Security → Lockdown Mode. It restricts some features but neutralises this attack completely.

Alert Priority 3 — Scan high-value devices with iVerify immediately: iVerify Basic is free until May 2026 and can detect active DarkSword infections through Safari history analysis — the one artifact the malware does not clean up. Run it on devices belonging to executives, finance staff, and anyone with privileged system access. Detection is possible even after the attack appears to have cleaned up.

Alert Priority 4 — Treat a compromised iPhone as a full identity breach: DarkSword steals the Keychain — every saved password and authentication token on the device. If a device is confirmed or suspected compromised, do not just wipe the phone. Trigger global session revocation across every corporate platform the employee used from that device. Reset credentials for every system they have access to. The phone is the starting point — the blast radius is everything they were logged into.

Alert Priority 5 — Monitor for anomalous outbound mobile traffic immediately following browsing: DarkSword's exfiltration produces a short burst of encrypted HTTPS traffic to an unknown destination within seconds of a web visit. Build a mobile traffic alert for this pattern — outbound encrypted data from a mobile device to a non-CDN, non-app-matched IP, immediately following an external web session. The attack window is brief but the network signature is real and detectable.

The ZyberWalls Perspective

Six vulnerabilities. Four months of silent exploitation. 221 million devices still unpatched at the time of disclosure. And a tool now being sold commercially to whoever can afford it.

The phone in your pocket is the most valuable target an attacker can compromise — not because of what's on the phone itself, but because of what the phone can access. It holds your authenticator codes, your saved passwords, your session tokens for every platform you use. DarkSword doesn't just steal your messages. It steals the keys to everything you're logged into.

The patch exists. iOS 18.7.6 closes all six doors. Update your phone today — manually, not when the automatic prompt arrives. And if you work in any sector where your phone holds data that matters, turn on Lockdown Mode. It's the one control that makes this entire attack chain irrelevant.