DarkSword iOS Exploit Chain: GTIG Links Multiple State Actors to Sophisticated Zero-Day Attack Platform

Google Threat Intelligence Group (GTIG) has identified a highly sophisticated iOS full-chain exploit, internally designated DarkSword, that leverages multiple zero-day vulnerabilities to achieve complete device compromise. The exploit chain, assessed with high confidence as government-designed based on toolmarks in recovered payloads, specifically targets iOS versions 18.4 through 18.7 using six distinct vulnerabilities to deploy final-stage malware. GTIG first observed DarkSword in active deployment beginning at least November 2025, marking one of the most technically advanced mobile exploitation frameworks documented in recent years.

The investigation revealed that DarkSword has proliferated across multiple distinct threat actor categories, including commercial surveillance vendors and suspected state-sponsored groups conducting separate campaigns. These actors have deployed the exploit chain against targeted individuals in Saudi Arabia, Turkey, Malaysia, and Ukraine. Following successful DarkSword compromises, GTIG identified three distinct malware families delivered as final-stage payloads: GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER. The simultaneous availability of this single exploit chain across disparate threat actors—mirroring patterns previously seen with other government-grade surveillance tools—signals significant proliferation risk for high-value mobile targets globally.

The DarkSword development raises urgent questions about the current defensive posture of even fully-patched iOS devices and the commercialized market for government-level mobile exploits. Organizations with personnel operating in the targeted regions, particularly those at elevated risk of nation-state interest, should immediately reassess mobile device security assumptions. GTIG's findings suggest that the boundary between state-sponsored offensive capabilities and commercially available surveillance tools has further blurred, with potential implications for journalists, activists, diplomats, and executives who rely on iOS devices in sensitive operational environments.