# Unmasking DarkSword: The Proliferation of a New iOS Full-Chain Exploit Across Global Threat Actors

The mobile threat landscape has reached a new level of sophistication with the discovery of "DarkSword," a potent iOS exploit chain capable of achieving full device compromise through a sequence of zero-day vulnerabilities. First identified by the Google Threat Intelligence Group (GTIG) and Mandiant, DarkSword represents a troubling trend in the cyber arms market: the rapid proliferation of high-end surveillance tools across disparate threat actors, ranging from commercial surveillance vendors (CSVs) to state-sponsored espionage groups.

At SecLookup, our threat research team has been actively tracking the infrastructure associated with DarkSword. Our platform successfully identified and blocked the core delivery domains—including `static.cdncounter[.]net`

## Executive Summary

DarkSword is an iOS full-chain exploit that leverages six distinct vulnerabilities to bypass the robust security architecture of modern Apple devices. Active since at least November 2025, the exploit chain targets iOS versions 18.4 through 18.7. What makes DarkSword particularly notable is its adoption by multiple independent threat groups, including the suspected Russian espionage group UNC6353. The campaign has a global reach, with confirmed targets in Saudi Arabia, Turkey, Malaysia, and Ukraine. Following a successful exploit, attackers deploy one of three specialized malware families: GHOSTBLADE, GHOSTKNIFE, or GHOSTSABER.

## Threat Analysis: The DarkSword Lifecycle

The DarkSword exploit chain is a masterpiece of offensive engineering, designed to bypass the multiple layers of the iOS sandbox and kernel protections. Its lifecycle typically follows a "watering hole" or highly targeted phishing model.

### Initial Access and Delivery

Attackers deploy DarkSword primarily through drive-by compromise (MITRE ATT&CK T1189). In several observed campaigns, legitimate websites were compromised to host malicious JavaScript. This script, often masquerading as a benign tracking or widget utility (e.g., `widgets.js`), performs initial environment fingerprinting to ensure the target device is a vulnerable iPhone or iPad running the targeted iOS versions (18.4–18.7).

One of the primary delivery domains identified is `static.cdncounter[.]net`. This domain was used to serve the initial stage of the exploit, acting as a gateway for the more complex stages of the attack.

### The Exploit Chain

The DarkSword chain utilizes six vulnerabilities. While the specific CVEs vary based on the target’s patch level, the chain generally follows this sequence:

1.  **Remote Code Execution (RCE):** A vulnerability in WebKit is used to gain initial execution within the browser sandbox.
    
2.  **Sandbox Escape:** Two vulnerabilities are typically used to break out of the WebContent process.
    
3.  **Kernel Elevation of Privilege (EoP):** Three vulnerabilities, including memory corruption bugs in the iOS kernel, are used to gain read/write primitives and eventually full kernel-level execution.
    

### Post-Compromise: The "GHOST" Malware Families

Once the kernel is compromised, the attackers deploy a final-stage payload. DarkSword has been observed delivering three distinct malware families, likely tailored to the specific goals of the threat actor using the chain:

*   **GHOSTBLADE:** A modular implant focused on data exfiltration from third-party messaging apps (Signal, WhatsApp, Telegram).
    
*   **GHOSTKNIFE:** A streamlined surveillance tool optimized for persistence and credential harvesting from the iOS Keychain.
    
*   **GHOSTSABER:** A sophisticated backdoor with advanced capabilities for real-time location tracking and microphone/camera activation.
    

## Actor Attribution and Proliferation

The most striking aspect of DarkSword is its widespread use. Historically, full-chain zero-day exploits were the exclusive domain of a single elite actor. However, DarkSword mirrors the "Coruna" exploit kit model, where a central developer (likely a commercial surveillance vendor) sells the exploit to multiple clients.

UNC6353, a group linked to Russian intelligence operations, has been observed integrating DarkSword into their watering hole operations targeting Ukrainian entities. Simultaneously, the same exploit chain was detected in campaigns targeting high-profile individuals in the Middle East and Southeast Asia, attributed to different, likely state-aligned, commercial entities. This "exploit-as-a-service" model significantly lowers the barrier to entry for state-sponsored espionage.

## MITRE ATT&CK Mapping

| Tactic | Technique ID | Technique Name |
| --- | --- | --- |
| **Initial Access** | T1189 | Drive-by Compromise |
| **Execution** | T1203 | Exploitation for Client Execution |
| **Privilege Escalation** | T1068 | Exploitation for Privilege Escalation |
| **Defense Evasion** | T1211 | Exploitation for Defense Evasion |
| **Discovery** | T1082 | System Information Discovery |
| **Exfiltration** | T1646 | Exfiltration Over Client-to-Cloud Service |

## SecLookup Detection

SecLookup’s proactive threat intelligence platform was actively detecting and blocking the infrastructure associated with DarkSword. The domain `static.cdncounter[.]net` was flagged as malicious by our scanners due to its involvement in suspicious JavaScript delivery and its connections to known exploit delivery patterns.

## Indicators of Compromise (IOCs)

### Malicious Domains

```text
static.cdncounter[.]net
snapshare[.]chat
```

### IP Addresses

```text
62.72.21.10
72.60.98.48
```

### File Hashes (SHA-256)

```text
2e5a56beb63f21d9347310412ae6efb29fd3db2d3a3fc0798865a29a3c578d35
```

### URLs

```text
https://snapshare[.]chat/<redacted>
https://static.cdncounter[.]net/widgets.js?uhfiu27fajf2948fjfefaa42
https://static.cdncounter[.]net/assets/index.html
```

### Email Addresses

```text
anotherresource@frame.html
```

## Detection Rules

### YARA Rules

The following rules can be used to scan for DarkSword toolmarks in memory or extracted payloads.

```yara
rule iOS_DarkSword_Payload_Toolmarks {
    meta:
        description = "Detects toolmarks and malware family names associated with the DarkSword iOS exploit chain."
        threat_actor = "UNC6353"
        malware_family = "GHOSTBLADE, GHOSTKNIFE, GHOSTSABER"
    strings:
        $s1 = "DarkSword" ascii wide
        $s2 = "GHOSTBLADE" ascii wide
        $s3 = "GHOSTKNIFE" ascii wide
        $s4 = "GHOSTSABER" ascii wide
    condition:
        (uint32(0) == 0xfeedface or uint32(0) == 0xcefaedfe or uint32(0) == 0xfeedfacf or uint32(0) == 0xcffaedfe) and (2 of them)
}

rule DarkSword_Delivery_Infrastructure {
    meta:
        description = "Detects references to the DarkSword delivery domain in files or memory."
    strings:
        $url = "static.cdncounter.net" ascii wide nocase
    condition:
        $url
}
```

## Recommendations

To mitigate the risk of DarkSword and similar iOS exploit chains, SecLookup recommends the following actions:

1.  **Update Immediately:** Apple has released patches for the vulnerabilities leveraged by DarkSword. Ensure all iOS devices are updated to version 18.8 or higher (and ideally the latest version, 26.3, as mentioned in the findings).
    
2.  **Enable Lockdown Mode:** For high-risk individuals (journalists, activists, government officials), Apple’s "Lockdown Mode" significantly reduces the attack surface by disabling complex web features and blocking certain message attachments that are often used in these exploit chains.
    
3.  **Network Monitoring:** Block all traffic to the IOCs listed above. Implement DNS filtering to prevent devices from communicating with known exploit delivery domains like `cdncounter[.]net`.
    
4.  **Endpoint Security:** Utilize mobile threat defense (MTD) solutions that can detect anomalous process behavior or unauthorized kernel modifications.
    

## References

*   [The Proliferation of DarkSword: iOS Exploit Chain Adopted by Multiple Threat Actors](https://cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain/) by Google Threat Intelligence Group, Mandiant
