Unmasking DarkSword: The Proliferation of a New iOS Full-Chain Exploit Across Global Threat Actors
The mobile threat landscape has reached a new level of sophistication with the discovery of "DarkSword," a potent iOS exploit chain capable of achieving full device compromise through a sequence of zero-day vulnerabilities. First identified by the Google Threat Intelligence Group (GTIG) and Mandiant, DarkSword represents a troubling trend in the cyber arms market: the rapid proliferation of high-end surveillance tools across disparate threat actors, ranging from commercial surveillance vendors (CSVs) to state-sponsored espionage groups.
At SecLookup, our threat research team has been actively tracking the infrastructure associated with DarkSword. Our platform successfully identified and blocked the core delivery domains—including static.cdncounter[.]net
Executive Summary
DarkSword is an iOS full-chain exploit that leverages six distinct vulnerabilities to bypass the robust security architecture of modern Apple devices. Active since at least November 2025, the exploit chain targets iOS versions 18.4 through 18.7. What makes DarkSword particularly notable is its adoption by multiple independent threat groups, including the suspected Russian espionage group UNC6353. The campaign has a global reach, with confirmed targets in Saudi Arabia, Turkey, Malaysia, and Ukraine. Following a successful exploit, attackers deploy one of three specialized malware families: GHOSTBLADE, GHOSTKNIFE, or GHOSTSABER.
Threat Analysis: The DarkSword Lifecycle
The DarkSword exploit chain is a masterpiece of offensive engineering, designed to bypass the multiple layers of the iOS sandbox and kernel protections. Its lifecycle typically follows a "watering hole" or highly targeted phishing model.
Initial Access and Delivery
Attackers deploy DarkSword primarily through drive-by compromise (MITRE ATT&CK T1189). In several observed campaigns, legitimate websites were compromised to host malicious JavaScript. This script, often masquerading as a benign tracking or widget utility (e.g., widgets.js), performs initial environment fingerprinting to ensure the target device is a vulnerable iPhone or iPad running the targeted iOS versions (18.4–18.7).
One of the primary delivery domains identified is static.cdncounter[.]net. This domain was used to serve the initial stage of the exploit, acting as a gateway for the more complex stages of the attack.
The Exploit Chain
The DarkSword chain utilizes six vulnerabilities. While the specific CVEs vary based on the target’s patch level, the chain generally follows this sequence:
Remote Code Execution (RCE): A vulnerability in WebKit is used to gain initial execution within the browser sandbox.
Sandbox Escape: Two vulnerabilities are typically used to break out of the WebContent process.
Kernel Elevation of Privilege (EoP): Three vulnerabilities, including memory corruption bugs in the iOS kernel, are used to gain read/write primitives and eventually full kernel-level execution.
Post-Compromise: The "GHOST" Malware Families
Once the kernel is compromised, the attackers deploy a final-stage payload. DarkSword has been observed delivering three distinct malware families, likely tailored to the specific goals of the threat actor using the chain:
GHOSTBLADE: A modular implant focused on data exfiltration from third-party messaging apps (Signal, WhatsApp, Telegram).
GHOSTKNIFE: A streamlined surveillance tool optimized for persistence and credential harvesting from the iOS Keychain.
GHOSTSABER: A sophisticated backdoor with advanced capabilities for real-time location tracking and microphone/camera activation.
Actor Attribution and Proliferation
The most striking aspect of DarkSword is its widespread use. Historically, full-chain zero-day exploits were the exclusive domain of a single elite actor. However, DarkSword mirrors the "Coruna" exploit kit model, where a central developer (likely a commercial surveillance vendor) sells the exploit to multiple clients.
UNC6353, a group linked to Russian intelligence operations, has been observed integrating DarkSword into their watering hole operations targeting Ukrainian entities. Simultaneously, the same exploit chain was detected in campaigns targeting high-profile individuals in the Middle East and Southeast Asia, attributed to different, likely state-aligned, commercial entities. This "exploit-as-a-service" model significantly lowers the barrier to entry for state-sponsored espionage.
MITRE ATT&CK Mapping
| Tactic | Technique ID | Technique Name |
|---|---|---|
| Initial Access | T1189 | Drive-by Compromise |
| Execution | T1203 | Exploitation for Client Execution |
| Privilege Escalation | T1068 | Exploitation for Privilege Escalation |
| Defense Evasion | T1211 | Exploitation for Defense Evasion |
| Discovery | T1082 | System Information Discovery |
| Exfiltration | T1646 | Exfiltration Over Client-to-Cloud Service |
SecLookup Detection
SecLookup’s proactive threat intelligence platform was actively detecting and blocking the infrastructure associated with DarkSword. The domain static.cdncounter[.]net was flagged as malicious by our scanners due to its involvement in suspicious JavaScript delivery and its connections to known exploit delivery patterns.
Indicators of Compromise (IOCs)
Malicious Domains
static.cdncounter[.]net
snapshare[.]chat
IP Addresses
62.72.21.10
72.60.98.48
File Hashes (SHA-256)
2e5a56beb63f21d9347310412ae6efb29fd3db2d3a3fc0798865a29a3c578d35
URLs
https://snapshare[.]chat/<redacted>
https://static.cdncounter[.]net/widgets.js?uhfiu27fajf2948fjfefaa42
https://static.cdncounter[.]net/assets/index.html
Email Addresses
anotherresource@frame.html
Detection Rules
YARA Rules
The following rules can be used to scan for DarkSword toolmarks in memory or extracted payloads.
rule iOS_DarkSword_Payload_Toolmarks {
meta:
description = "Detects toolmarks and malware family names associated with the DarkSword iOS exploit chain."
threat_actor = "UNC6353"
malware_family = "GHOSTBLADE, GHOSTKNIFE, GHOSTSABER"
strings:
$s1 = "DarkSword" ascii wide
$s2 = "GHOSTBLADE" ascii wide
$s3 = "GHOSTKNIFE" ascii wide
$s4 = "GHOSTSABER" ascii wide
condition:
(uint32(0) == 0xfeedface or uint32(0) == 0xcefaedfe or uint32(0) == 0xfeedfacf or uint32(0) == 0xcffaedfe) and (2 of them)
}
rule DarkSword_Delivery_Infrastructure {
meta:
description = "Detects references to the DarkSword delivery domain in files or memory."
strings:
$url = "static.cdncounter.net" ascii wide nocase
condition:
$url
}
Recommendations
To mitigate the risk of DarkSword and similar iOS exploit chains, SecLookup recommends the following actions:
Update Immediately: Apple has released patches for the vulnerabilities leveraged by DarkSword. Ensure all iOS devices are updated to version 18.8 or higher (and ideally the latest version, 26.3, as mentioned in the findings).
Enable Lockdown Mode: For high-risk individuals (journalists, activists, government officials), Apple’s "Lockdown Mode" significantly reduces the attack surface by disabling complex web features and blocking certain message attachments that are often used in these exploit chains.
Network Monitoring: Block all traffic to the IOCs listed above. Implement DNS filtering to prevent devices from communicating with known exploit delivery domains like
cdncounter[.]net.Endpoint Security: Utilize mobile threat defense (MTD) solutions that can detect anomalous process behavior or unauthorized kernel modifications.
References
- The Proliferation of DarkSword: iOS Exploit Chain Adopted by Multiple Threat Actors by Google Threat Intelligence Group, Mandiant
