top of page
Buscar

DarkSword Pulls Off the Perfect Heist on iPhone

  • Foto del escritor: Javier Conejo del Cerro
    Javier Conejo del Cerro
  • hace 10 horas
  • 4 Min. de lectura

No alarms. No forced entry. No trace left behind. DarkSword represents a new class of mobile intrusion where the attacker doesn’t need persistence—only speed and precision. Leveraging a full exploit chain built on six vulnerabilities, including three zero-days, this kit enables complete device takeover on iPhones running iOS 18.4 to 18.7. Used by multiple threat actors, including the Russia-linked UNC6353, DarkSword blends commercial surveillance capabilities with financially motivated data theft, executing what can only be described as a near-perfect digital heist.


Phase 1: The Setup – Watering Hole Entry 


The attack begins far from the device itself. Compromised websites—strategically chosen based on target geography—act as silent entry points in classic watering-hole fashion. Victims in Ukraine, Saudi Arabia, Turkey, and Malaysia are exposed simply by browsing.

Embedded within these sites is a malicious iFrame containing JavaScript designed to fingerprint visiting devices. This reconnaissance step is critical: only iPhones running specific iOS versions (18.4–18.6.2 in some campaigns, up to 18.7 in others) are selected for exploitation. This selective targeting reduces noise and increases success rates, ensuring the exploit chain is deployed only when conditions are optimal.

This phase reflects a broader trend: exploitation is no longer sprayed indiscriminately—it is filtered, precise, and context-aware.


Phase 2: Breaking In – Exploit Chain Execution 


Once a suitable target is identified, the exploit chain is triggered. DarkSword combines six vulnerabilities into a seamless escalation path:

  • Remote Code Execution via JavaScriptCore (CVE-2025-31277 / CVE-2025-43529)

  • Pointer Authentication Code (PAC) bypass via dyld (CVE-2026-20700)

  • Sandbox escape via GPU process (CVE-2025-14174 / CVE-2025-43510)

  • Kernel privilege escalation (CVE-2025-43520)

Three of these were zero-days at the time of exploitation, significantly increasing the effectiveness of the attack.

The chain begins in Safari’s WebContent process and systematically dismantles iOS security boundaries. By abusing WebGPU, the attackers pivot into mediaplaybackd, a privileged system daemon, effectively gaining access to restricted areas of the file system and internal processes.

This is not a single exploit—it is a coordinated sequence engineered for reliability, demonstrating the maturity of modern exploit kits and the existence of a secondary market for high-end iOS vulnerabilities.


Phase 3: Inside the Vault – Data Extraction 


With full control established, DarkSword deploys its payloads—GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER—each designed to harvest sensitive data at scale.

The scope of data exfiltration is extensive:

  • Emails and iCloud Drive files

  • Contacts, SMS messages, call history

  • Safari browsing history and cookies

  • Credentials and usernames/passwords

  • Cryptocurrency wallet and exchange data

  • Photos and media

  • Wi-Fi configurations and passwords

  • Location history and calendar data

  • SIM and cellular information

  • Installed applications

  • Apple app data (Notes, Health)

  • Messaging data from Telegram and WhatsApp

Data is staged and exfiltrated via HTTP(S), coordinated through WebSocket-based command-and-control infrastructure retrieved from attacker-controlled endpoints.

Notably, the malware performs canvas fingerprinting and collects device metadata, including country inference based on time zone, to enrich exfiltrated intelligence.


Phase 4: The Getaway – Hit-and-Run Execution 


What makes DarkSword particularly dangerous is not just its capability—but its restraint.

Unlike traditional spyware, it does not aim for long-term persistence. Instead, it executes a hit-and-run model:

  • Rapid data collection (seconds to minutes)

  • Immediate exfiltration

  • Cleanup of staged artifacts

  • Termination of activity

This significantly reduces dwell time, minimizing the window for detection and forensic analysis. The lack of heavy obfuscation in some components suggests either operational overconfidence or reliance on speed over stealth complexity.


Victims


The campaign primarily targets users in Ukraine, Saudi Arabia, Turkey, and Malaysia through compromised websites acting as watering holes. It has been attributed to multiple actors, including UNC6353—linked to Russian intelligence objectives—as well as UNC6748 and the Turkish commercial surveillance vendor PARS Defense. The reuse of the exploit kit across different actors highlights the growing accessibility of advanced mobile exploitation capabilities, potentially placing hundreds of millions of unpatched iOS devices at risk globally.


Breach Method


The attack chain is initiated when a victim visits a compromised website hosting a malicious iFrame. This iFrame executes JavaScript to fingerprint the device and determine exploit eligibility. If matched, a six-step exploit chain is triggered, leveraging vulnerabilities in JavaScriptCore, dyld, GPU processes, and the iOS kernel to achieve remote code execution, bypass security protections, escape the Safari sandbox, and escalate privileges to kernel level.

Once elevated access is achieved, the malware injects into mediaplaybackd to access restricted system resources and deploys modular payloads for large-scale data harvesting. The stolen data is exfiltrated over HTTP(S), after which the malware removes traces of its activity, completing the intrusion cycle.


Measures to Fend Off the Attack


  • Apply iOS updates immediately to patch exploited vulnerabilities

  • Monitor abnormal Safari and WebGPU activity patterns

  • Detect unusual access to system daemons like mediaplaybackd

  • Restrict exposure to potentially compromised or untrusted websites

  • Deploy Mobile Threat Defense (MTD) solutions for behavioral detection

  • Monitor network traffic for anomalous HTTP(S) exfiltration patterns

  • Enforce zero-trust principles on mobile device access to sensitive resources


DarkSword is not just another exploit kit—it is a signal. A signal that high-end mobile exploitation is no longer exclusive to elite actors, but increasingly available across a fragmented ecosystem of state-linked groups, commercial vendors, and financially motivated attackers.


Its effectiveness lies not only in technical sophistication, but in operational design: precision targeting, rapid execution, and minimal footprint. The “perfect heist” is no longer a metaphor—it is an emerging standard.



The Hacker News


 
 
 

Comentarios

bottom of page