- Researchers Discover DarkSword Malware Framework Targeting iPhones
- Exploit six high severity flaws in iOS 18.4–18.7, now patched
- Used by spyware vendors and state-backed groups with variants such as GhostSaber and GhostKnife.
Security researchers discovered a new malware framework called DarkSword, capable of stealing a large amount of sensitive data from iPhone users.
Earlier this week, several security vendors, including Google, sounded the alarm about DarkSword, saying that it exploits at least six vulnerabilities and is being actively used by multiple commercial spyware makers, as well as state-sponsored hackers, in in-the-wild attacks.
Some of these flaws are zero-day, meaning they were being exploited before Apple, or anyone else in the cybersecurity community, knew about them. They affect iOS versions 18.4 to 18.7 and have since been patched. So, make sure you have updated your iPhone to the latest version.
Article continues below.
Commercial Malware Abuse
The vulnerabilities that are abused are the following:
- CVE-2025-31277 (8.8/10 – high)
- CVE-2025-43529 (8.8/10 – high)
- CVE-2026-20700 (7.8/10 – high)
- CVE-2025-14174 (8.8/10 – high)
- CVE-2025-43510 (7.8/10 – high)
- CVE-2025-43520 (7.1/10 – high)
Google, as well as other security teams including Lookout and iVerify, say DarkSword has been in active use since at least November 2025, by multiple commercial malware vendors as well as state-sponsored groups. For example, Google says a Turkish company called PARS Defense was using it to attack both Turkish and Malaysian victims.
The company also mentions UNC6353, allegedly a Russian state-sponsored actor, using DarkSword against Ukrainian targets. Finally, there is a group tracked as UNC6748 that has been using a Snapchat-themed website to target people in Saudi Arabia.
However, the framework itself does not include malware. Each group was said to have been using a different variant in their attacks, with PARS using GhostSaber to enumerate accounts, enumerate files, exfiltrate data, and execute JavaScript remotely.
UNC6748, on the other hand, uses GhostKnife, a JavaScript-based backdoor capable of stealing data such as logged-in accounts, messages, browser data, location history, and recordings.
Through The Registry
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
