DarkSword: Pure-JavaScript iOS 18 Watering-Hole Full Chain Used by Multiple Actors
AK
Alex Kim Threat intelligence editor · Updated Jul 15, 2026, 5:36 PM EDT
DarkSword: Pure-JavaScript iOS 18 Watering-Hole Full Chain Used by Multiple Actors
DarkSword: Pure-JavaScript iOS 18 Watering-Hole Full Chain Used by Multiple Actors
A sophisticated pure-JavaScript exploit kit known as DarkSword has been used since at least November 2025 to fully compromise iPhones running iOS 18.4 through 18.7 after a victim simply visits a compromised legitimate website or decoy page. Coordinated disclosures in mid-March 2026 by multiple security research teams confirmed that the kit chains six vulnerabilities—several of them zero-days at first use—to move from Safari remote code execution through sandbox escape, integrity bypasses and kernel read/write, then stage and exfiltrate sensitive data within minutes before cleaning up and exiting. This is a silent one-click Safari watering-hole chain, not an iMessage-style zero-click. Unlike long-dwelling binary spyware families, DarkSword leaves no persistent implant; a reboot clears the observed chain. Multiple independent operators have reused the same modular toolkit against targets in Ukraine, Saudi Arabia, Turkey and Malaysia, combining espionage collection with theft of cryptocurrency wallets and exchange sessions.
Apple progressively patched the flaws from late 2025 into early 2026, culminating in broader fixes on the iOS 18 branch and iOS 26.3. Residual devices still running vulnerable 18.x builds remained numerous at disclosure, creating a critical window for fleet inventory, forced updates and Lockdown Mode enforcement.
Discovery Timeline
Researchers first observed DarkSword activity in early November 2025. One cluster used a Snapchat-themed decoy site to target Saudi users, iterating remote-code-execution workers for successive iOS 18.4, 18.6 and 18.7 builds. Shortly afterward, a Turkish commercial surveillance vendor reused the same kit against targets in Turkey and Malaysia. A suspected Russian-linked cluster previously associated with the earlier Coruna kit continued watering-hole campaigns on compromised Ukrainian news and government sites, swapping in DarkSword for newer iOS versions. Exploit assets recovered from Estonia-hosted static infrastructure carried last-modified timestamps around December 2025 and, in at least one campaign, geo-restricted full delivery to Ukrainian IP addresses.
Bugs were reported to Apple in late 2025. Key patches landed across iOS 18.6, 18.7.2, 18.7.3 and iOS 26.1–26.3, with later expansion of 18.x security updates including 18.7.7-class backports. Public technical write-ups and joint industry disclosure followed on 18–19 March 2026. The name derives from an internal implant string used during Wi-Fi password extraction: “DarkSword-WIFI-DUMP.” Coruna targeted earlier iOS brackets with a related watering-hole pattern; DarkSword is the next-generation modular kit built for the 18.x generation.
How the Infection Chain Works
Delivery is classic watering-hole or decoy-site: a compromised legitimate page (or actor-controlled lookalike) injects an invisible or sandboxed iframe that loads widget.js then rce_loader.js. The loader fingerprints the device—touch capability, iPhone model, iOS version string—and stores a sessionStorage uid to avoid re-infection. If Chrome is detected, some campaigns force a handoff into Safari via the x-safari-https:// protocol handler. Version-specific workers (rce_worker_18.4.js, rce_worker_18.6.js, rce_worker_18.7.js) plus shared-cache offset modules for models from Xs through 16 are then fetched.
B
rce_loader.js fingerprint
JSC RCE worker
Sandbox escape via WebGPU/ANGLE
mediaplaybackd
pe_main.js kernel LPE
JS inject into daemons
Stage data + exfil
Cleanup / exit
Compromised or decoy site] --> B[Hidden iframe / widget.js
Stage 1 achieves JavaScriptCore remote code execution through JIT/DFG-class memory corruption, building classic address-of / fake-object primitives. Stage 2 abuses WebGPU and the ANGLE graphics stack to escape the tight WebContent sandbox into the looser mediaplaybackd process. Stage 3 lands reliable code execution inside that media daemon. Stage 4 bypasses Pointer Authentication Codes and Trusted Page Reference Owner protections inside dyld, enabling reliable user-mode integrity defeat. Stage 5 corrupts kernel memory management paths to obtain arbitrary kernel read/write. Stage 6—the post-exploitation orchestrator pe_main.js—force-loads JavaScriptCore plus custom payloads into privileged services such as configd, wifid, securityd, UserEventAgent and SpringBoard. Data is staged under short-lived /tmp/<uuid>.<digits>/ directories, packaged, and exfiltrated over HTTP(S) with custom cryptography observed in some families. Staged files are deleted and the process exits. No Mach-O implant and no reboot persistence were recovered.
The pure-JavaScript design is deliberate. It avoids the need for native executable pages under PPL/SPTM constraints, keeps the kit modular and maintainable, and lowers the barrier for customers who later reuse it.
Vulnerabilities Abused
CVE
Subsystem
Role
Type
Reported patch band
CVE-2025-31277
JavaScriptCore
Initial RCE
Memory corruption
~iOS 18.6
CVE-2025-43529
JavaScriptCore
Later RCE path
Use-after-free / JIT
~18.7.3 / 26.2
CVE-2025-14174
ANGLE (GPU/WebGL)
Sandbox escape helper
Memory corruption
~18.7.3 / 26.2
CVE-2026-20700
dyld
PAC / TPRO bypass
Integrity bypass
~26.3 (later 18.x backports)
CVE-2025-43510
XNU kernel
Privilege escalation
Memory management / CoW
~18.7.2 / 26.1
CVE-2025-43520
XNU kernel
Privilege escalation
Memory corruption
~18.7.2 / 26.1
Several stages were zero-days when first fielded. Reliability is sensitive to GPU process load. Shared-cache offsets are model- and minor-version specific. Loader logic bugs—serving the wrong worker for a given version—were observed. Early delivery scripts on some sites contained Russian comments; core exploit and implant stages used English.
Attribution and Victim Profiles
DarkSword is not the product of a single “DarkSword APT.” It is a proliferating full-chain kit reused by multiple customers:
UNC6353 — suspected Russian espionage cluster previously seen with Coruna. Compromised Ukrainian news and .gov.ua sites; dual collection of intelligence data and cryptocurrency assets; payload tracked as GHOSTBLADE (bulk miner).
UNC6748 — unattributed state or state-adjacent cluster. Snapchat-themed decoys aimed at Saudi users; richer modular backdoor GHOSTKNIFE with anti-debug iterations.
PARS Defense — Turkish commercial surveillance vendor. Deployments observed against targets in Turkey and Malaysia.
Additional commercial or state customers are assessed as likely. Victim geography spans Ukraine, Saudi Arabia, Turkey and Malaysia. Profiles are broader than classic diplomat/journalist lists: mass watering holes plus explicit crypto modules expand the set to high-value mobile users, executives and anyone holding exchange sessions or wallet apps on-device.
Post-Compromise Capabilities and Exfiltration
Once kernel access is obtained, pe_main.js orchestrates modules that inject JavaScript into system daemons. Common capabilities include:
Device, SIM, Wi-Fi configuration and password extraction
SMS/iMessage, call history, contacts, Safari cookies/history and keychain-accessible material
Location history, Notes, Calendar, Health, Photos, iCloud Drive, email, Telegram and WhatsApp data
Installed app lists and targeted crypto exchange/wallet apps (Coinbase, Binance, Kraken, MetaMask, Ledger, Trezor and others)
Screenshots and microphone capture (stronger in GHOSTKNIFE); CrashReporter scrubbing to hinder forensics
Exfiltration is hit-and-run: stage → package → HTTP(S) C2 (ECDH+AES reported for GHOSTKNIFE) → delete staging directories → exit. Dwell time is measured in seconds to minutes. The design optimizes for stealth rather than long-term command-and-control.
Indicators of Compromise and Forensics
Network indicators observed in public reports (incomplete and subject to rotation) include delivery infrastructure such as static.cdncounter[.]net / cdncounter[.]net, the Snapchat decoy snapshare[.]chat, and C2 examples such as sqwas.shapelie[.]com. Characteristic filenames include rce_loader.js, rce_worker_18.*.js, rce_module*.js, sbx0_main_*.js, sbx1_main.js, pe_main.js and widgets.js.
On-device artifacts are intentionally transient. Useful signals include unified logs or sysdiagnose showing WebKit / GPU / mediaplaybackd crashes around a suspicious visit; anomalous JavaScriptCore loading into system daemons; CrashReporter absences or leftover mediaplaybackd / WebKit / SpringBoard artifacts; short-lived /tmp/<uuid>.<digits>/STORAGE|DATA|TMP directories; and Safari history of compromised regional domains. Enterprise telemetry can surface MDM OS-version non-compliance and proxy hits to known delivery CDNs. Pure in-memory JavaScript with aggressive cleanup remains a classic blind spot for stock iOS endpoint detection.
Immediate Mitigations and Response Playbook
Force fleet update to the latest available build: prefer iOS 26.3 or newer; on the 18.x branch ensure at least 18.7.3, with later 18.7.7-class backports applied where available. Inventory every device still on 18.4–18.7.2 or early 26.x and treat them as high risk until patched.
Enable Lockdown Mode for journalists, executives, diplomats, activists, lawyers and crypto holders. It materially shrinks the WebKit attack surface exploited by this class of chain.
Keep Background Security Improvements and Rapid Security Responses enabled; block known delivery domains at DNS and proxy layers.
Move large cryptocurrency holdings to cold storage; never keep seed phrases or long-lived exchange sessions solely on the phone.
If compromise is suspected: place the device in airplane mode, perform a full power cycle, collect sysdiagnose + unified logs + encrypted backup if forensics matter, then update the OS before re-authenticating high-value accounts. Rotate passwords and session tokens; revoke sessions for mail, iCloud, messaging and exchanges; review crypto activity for unauthorized transfers. Assume message content and location history may already have been read.
Third-party browsers on iOS still rely on WebKit outside limited regional exceptions, so engine bugs remain relevant. “I only visit trusted sites” is insufficient: watering holes compromise legitimate pages.
Implications for the iOS Security Model
DarkSword demonstrates that mercenary full-chains are proliferating faster than single-actor exclusivity. The same modular pure-JavaScript kit has been fielded by suspected state actors, commercial surveillance vendors and dual-motive operators within months of one another. Hit-and-run design changes forensic expectations relative to classic long-dwell implants. Apple’s major version jump from 18 to 26 has left a large residual 18.x population; disciplined backports and enterprise OS inventory are now first-class requirements.
For security engineers and CISOs the mental model is simple: Safari visit → six-bug pure-JS chain → minutes of privileged data theft → gone. Patch inventory, Lockdown Mode policy for high-risk users, network blocking of known delivery infrastructure, and crypto hygiene remain the highest-leverage controls while residual vulnerable devices persist.