DarkSword Exploit Kit Targets iPhones with Multi-Stage Malware Chain

Google, iVerify, and Lookout report a new iOS exploit kit named DarkSword, active since November 2025. 

The exploit kit targets iPhone users running iOS versions 18.4 through 18.7 to install data-stealing backdoors. Multiple threat actors, including nation-state groups and commercial spyware vendors, use this kit to gain access to iPhone users through malicious campaigns to carry out espionage and financial theft.

The exploited flaws are: 

• CVE-2025-31277 - A remote code execution vulnerability that allows attackers to gain initial access when a user visits a malicious website. By exploiting this flaw, attackers obtain arbitrary memory read and write capabilities to start the infection chain. This initial foothold allows the kit to begin breaking system protections.
• CVE-2025-43529  - A use-after-free vulnerability in the WebKit engine that allows remote code execution through crafted web content. Attackers use this to establish a foothold in the WebContent process before moving deeper into the system. This bypasses initial browser security to allow further exploitation of internal components.
• CVE-2026-20700 - A mitigation bypass vulnerability that targets Trusted Path Read-Only (TPRO) and Pointer Authentication Codes (PAC). This allows attackers to bypass SPRR and JIT Cage protections by manipulating thread states, allowing arbitrary code execution within the browser's process. This defeats hardware-level security features designed to prevent unauthorized code execution.
• CVE-2025-14174 (CVSS score 8.8) - An out-of-bounds write vulnerability in the GPU process's Angle library. Attackers chain this with PAC bypasses to escape the browser sandbox and gain function call primitives within the GPU process. This allows the attacker to move from the restricted browser environment to more privileged system processes.
• CVE-2025-43510 - A Copy-On-Write vulnerability in the AppleM2ScalerCSCDriver driver within the XNU kernel. This flaw is used to gain control over the mediaplaybackd daemon via exposed XPC interfaces by triggering a memory handling error. This provides a path to escalate privileges from the sandbox to the system kernel.
• CVE-2025-43520 - A kernel privilege escalation vulnerability that allows attackers to inject JavaScript implants into system processes. This final step provides the high-level access needed to steal sensitive user data by running code with kernel-level authority.

The attack chain requires a user to visit a malicious website, often through specific watering hole attacks. A watering hole attack is a cybersecurity strategy where hackers compromise a website that is frequently visited by their target group, injecting it with malware to infect users who visit the site. This method takes advantage of the trust users have in familiar websites, making it difficult to detect the attack.

Once the initial remote code execution occurs, the exploit kit systematically breaks iOS security layers, including the sandbox and kernel protections. The malware targets personal and financial information. The following data items are commonly stolen:

• Private messages and chat logs from messaging applications
• Real-time audio recordings and microphone captures
• Detailed location history and GPS coordinates
• Credentials for signed-in accounts and browser cookies
• Cryptocurrency wallet data and financial information
• Photos, metadata, and device screenshots

Apple has released security updates to fix all six vulnerabilities used by the DarkSword kit. Users should immediately update their devices to the latest version of iOS to close these security gaps. Organizations should monitor for suspicious network traffic to known malicious domains like snapshare[.]chat. Because these exploits are used for espionage and financial gain, keeping software up to date is the most effective defense.