3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
DarkSword

DarkSword

ID: 61a26aa8c3fc9ba021d8ac98c657382e59421
Crimeware Spyware/Stealer
Threat types: Spyware, iOS Exploit
Unknown MYS, SAU, TUR, UKR
Updated: 2026-03-23
Created: 2026-03-22
Progress: 84% Completeness: 81% Freshness: 90%
Operation zone: Malaysia, Saudi Arabia, Turkey, Ukraine
Aliases Limited alias preview
DarkSword Exploit DarkSword iOS Exploit Da***********************
Showing 2 of 3 aliases in free preview.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: high
Actor Techniques page ATT&CK® Diagram

DarkSword is a multi-actor iOS full-chain exploit and spyware-delivery toolkit observed since at least November 2025. Public reporting ties its use to UNC6748, UNC6353, and PARS Defense-associated operations, with different final-stage payloads including GHOSTKNIFE, GHOSTBLADE, and GHOSTSABER. It has been used in lure-driven and watering-hole campaigns against targets in Saudi Arabia, Turkey, Malaysia, and Ukraine.


Technique Technique name Tactics Evidence
T1189 Drive-by Compromise TA0001
  • 2025-11-01 — GTIG observed UNC6748 leveraging a Snapchat-themed website, snapshare[.]chat, to target Saudi Arabian users, consistent with drive-by / malicious website compromise delivery. · ref
  • 2026-03-18 — iVerify recovered DarkSword from compromised legitimate Ukrainian websites hosting a malicious iframe serving the exploit chain, consistent with watering-hole style drive-by compromise. · ref
T1059.007 JavaScript TA0002
  • 2026-03-18 — GTIG reported that DarkSword uses pure JavaScript for all exploit stages and final payloads. · ref
  • 2026-03-18 — iVerify described a complete exploit kit composed of JavaScript stages, including Safari exploit, sandbox escape, privilege escalation, and in-memory implants. · ref
T1105 Ingress Tool Transfer TA0011
  • 2025-11-01 — GTIG showed DarkSword loader logic fetching additional stages such as frame.html, rce_loader.js, and version-specific workers from remote infrastructure. · ref
T1068 Exploitation for Privilege Escalation TA0004
  • 2026-03-18 — GTIG documented six vulnerabilities used to fully compromise a vulnerable iOS device and run a final payload with full kernel privileges. · ref
  • 2026-03-18 — iVerify described sandbox escape, privilege escalation, and kernel-level compromise in the recovered chain. · ref
T1055 Process Injection TA0004 TA0005
  • 2026-03-18 — INFERENCE (confidence: medium): iVerify reported injected in-memory JavaScript implants across several iOS system processes to extract sensitive data, which conceptually aligns with process injection even if the implementation is non-traditional. · ref
T1005 Data from Local System TA0009
  • 2025-11-01 — GTIG reported GHOSTKNIFE modules for exfiltrating signed-in accounts, messages, browser data, location history, and recordings from the compromised device. · ref
  • 2026-03-18 — GTIG reported GHOSTBLADE as a dataminer collecting and exfiltrating a wide variety of data from compromised devices. · ref
T1119 Automated Collection TA0009
  • 2025-11-01 — GTIG described GHOSTSABER and GHOSTKNIFE capabilities including device and account enumeration, file listing, data exfiltration, and arbitrary JavaScript execution. · ref
T1041 Exfiltration Over C2 Channel TA0010
  • 2025-11-01 — GTIG reported GHOSTKNIFE communicating with its C2 over HTTP using a custom encrypted binary protocol, and GHOSTSABER / GHOSTBLADE over HTTP(S). · ref
T1071.001 Web Protocols TA0011
  • 2025-11-01 — GTIG reported GHOSTSABER communicating with its C2 server over HTTP(S), consistent with web-protocol application-layer communications. · ref
T1070.004 File Deletion TA0005
  • 2025-11-01 — GTIG noted code in GHOSTKNIFE and GHOSTBLADE intended to delete crash reports, consistent with file-deletion anti-forensics. · ref
Strategic Intelligence
Limited preview
Last updated: 2026-03-23T02:59:46+00:00

DarkSword — Multi-Actor iOS Exploit Chain / Spyware Delivery Toolkit

Classification: TLP:WHITE - Open Source Intelligence (OSINT)

Category: Mobile spyware / exploit toolkit - Origin: Not attributed to a single country; observed in operations linked to Russia-aligned espionage activity, a Turkish commercial surveillance vendor, and a separate threat cluster.

Author: iQBlack CTI Team


Executive Summary

DarkSword is best assessed as a shared iOS exploitation and spyware-delivery framework rather than a single standalone malware family. Public reporting by Google Threat Intelligence Group (GTIG), iVerify, Reuters, and related coverage indicates that the toolkit has been used by multiple operators since at least November 2025 against targets in Saudi Arabia, Turkey, Malaysia, and Ukraine. The observed post-exploitation payloads differ by operator and include GHOSTKNIFE, GHOSTSABER, and GHOSTBLADE.


Technically, DarkSword is significant because it represents a full-chain iOS compromise path that uses six vulnerabilities across WebKit / JavaScriptCore, dyld, ANGLE, and the iOS kernel to reach full device compromise on supported versions. GTIG assessed that DarkSword supports iOS 18.4 through 18.7, while iVerify’s recovered Ukrainian watering-hole chain specifically targeted iOS 18.4 through 18.6.2. In both cases, the exploitation pattern is web-delivered and does not require a traditional app installation.

Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Saved Limited preview

Executive Analyst Brief for CISO — DarkSword

Classification: TLP:WHITE - Open Source Intelligence (OSINT)

Upgrade to access the full executive brief.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Saved Limited preview

Hunting Playbook — DarkSword


Upgrade to access the full hunting playbook.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Saved Limited preview
Last updated: 2026-03-23T03:02:35+00:00

IOC Appendix — DarkSword


More IOC context for Research. Full appendix for Analyst and Premium plans.
IOC Appendix now
Saved successfully.
OSINT Library
Saved Limited preview
Last saved: 2026-03-23T03:02:52+00:00

OSINT Library — DarkSword


2026-03-18 — Google Threat Intelligence Group — “The Proliferation of DarkSword: iOS Exploit Chain Adopted by Multiple Threat Actors”

Full OSINT references available for Research / Analyst.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/0
No social links registered for this profile.
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.