Zero‑Day iOS Exploit Chain “DarkSword” Enables Drive‑by Malware Infection on Unpatched iPhones
What Happened – Google researchers disclosed a six‑vulnerability iOS exploit chain, DarkSword, that has been weaponised since late 2025. It targets iOS 18.4‑18.7 devices; a single visit to a malicious or compromised website can deliver a payload such as the Ghostblade data‑stealer.
Why It Matters for TPRM –
- Unpatched iPhones used by employees become a direct entry point for credential and crypto‑asset theft.
- The chain is leveraged by both commercial spyware firms and state‑backed actors, expanding the threat surface across multiple jurisdictions.
- Ghostblade wipes its traces after exfiltration, making detection and incident response difficult for third‑party risk teams.
Who Is Affected – Any organization whose workforce uses iOS 18.4‑18.7 devices, especially those handling sensitive communications, health data, or cryptocurrency‑related assets (e.g., finance, tech, media, government).
Recommended Actions –
- Verify that all iOS devices are running the latest OS version (≥ iOS 18.8) or have the relevant security patches applied.
- Enforce web‑filtering and URL‑reputation controls to block known malicious domains.
- Deploy mobile‑endpoint detection and response (EDR) solutions capable of detecting anomalous JavaScript activity.
- Review third‑party mobile‑app vendors for secure development practices and supply‑chain vetting.
Technical Notes – DarkSword chains six iOS/Safari vulnerabilities (including a memory‑corruption bug and a WebKit logic flaw) to achieve arbitrary code execution via a drive‑by web request. The final payload, Ghostblade, is a JavaScript‑based stealer that harvests device identifiers, messages, contacts, health data, Wi‑Fi credentials, crypto‑wallet information, and more before self‑deleting. Source: Malwarebytes Labs