"DarkSword" Exploit Kit

Overview 

Google’s Threat Intelligence Group (TAG) and Lookout researchers have disclosed a highly sophisticated zero-click mobile exploit kit known as DarkSword, discovered in March 2026. Primarily targeting iPhones, this threat marks a notable shift in the mobile threat landscape—from traditional, long-term state-sponsored surveillance campaigns to faster, “hit-and-run” operations focused on financial theft and rapid data exfiltration.

DarkSword targets vulnerable iOS devices through watering hole attacks conducted on compromised legitimate websites. When a user visits an affected site, the DarkSword delivery framework exploits a chain of six vulnerabilities—tracked as CVE-2025-31277, CVE-2025-43529, CVE-2026-20700, CVE-2025-14174, CVE-2025-43510, and CVE-2025-43520—to gain kernel-level access without requiring user interaction.

Notably, DarkSword operates as a fileless exploit, executing entirely in memory to evade detection and forensic analysis, and self-deleting once attack objectives are complete. This design makes the threat particularly difficult to detect using traditional security controls.

These vulnerabilities allow attackers to escape application sandboxes, escalate privileges, and achieve remote code execution on unpatched devices. Apple has addressed these flaws in recent iOS security updates. At present, exposure is limited to devices running iOS 18.4 through 18.7 that have not yet been updated to the latest available version.

The "Links" in the Chain

If successfully exploited, DarkSword enables attackers to progress from a simple website visit to full device compromise through the following sequence:

1. Initial Access: The victim visits a compromised legitimate website that delivers the exploit chain to vulnerable devices.
2. Code Execution: A browser vulnerability is triggered to gain initial execution within the web context.
3. Sandbox Escape: Additional vulnerabilities allow the attacker to bypass browser isolation controls.
4. Privilege Escalation: The attacker elevates privileges to gain deeper system-level access.
5. Kernel Compromise: Kernel-level execution provides near-total control of the device.
6. Data Theft and Cleanup: Fileless payloads execute in memory to access sensitive data and then self-delete to evade detection.
   
   

On March 20, 2026, CISA added three of the six DarkSword vulnerabilities (CVE-2025-31277, CVE-2025-43510, and CVE-2025-43520) to its catalog of Known Exploited Vulnerabilities (KEV), requiring Federal Civilian Executive Branch (FCEB) agencies to remediate affected systems by April 3, 2026. While this mandate applies specifically to federal agencies, enterprise organizations are strongly encouraged to follow a similar remediation timeline.

Lookout Analysis

Lookout identified infrastructure associated with DarkSword during investigations into activity related to the Coruna campaign. Based on observed infrastructure overlap and targeting patterns, Lookout assesses with high confidence that DarkSword activity is associated with Russian-aligned cyber-espionage operations and financially motivated threat activity.

More broadly, DarkSword reflects the continued proliferation of advanced mobile exploitation capabilities, where techniques historically associated with highly targeted Advanced Persistent Threat (APT) operations are spread through broker networks to cybercriminals and hacking groups, increasingly appearing in scalable delivery models such as watering hole attacks. This evolution lowers the barrier to entry for high-impact mobile attacks and expands the potential victim pool beyond traditionally targeted individuals to a wider population of vulnerable devices.