Zero‑Day iOS Exploit Kit “DarkSword” Enables Full Device Compromise Across Multiple Nations
What Happened – Lookout Threat Labs uncovered “DarkSword,” an iOS exploit kit that chains six vulnerabilities (three zero‑days) to gain complete control of iPhones running iOS 18.4‑18.7. Since late 2025 it has been used in campaigns against users in Saudi Arabia, Turkey, Malaysia and Ukraine, stealing credentials and cryptocurrency‑wallet data before self‑destructing.
Why It Matters for TPRM –
- Full‑device takeover can expose employee credentials, corporate data and crypto assets stored on mobile devices.
- The kit is sold on secondary markets, widening the pool of threat actors that can target your third‑party vendors.
- BYOD and mobile‑first strategies increase the attack surface for enterprises that rely on iOS endpoints.
Who Is Affected – Financial services (especially crypto‑wallet providers), technology SaaS firms with mobile apps, and government agencies with iOS‑based workflows.
Recommended Actions – Review iOS device inventory, enforce timely patching, strengthen mobile threat detection, tighten MDM policies, and monitor for DarkSword IOCs (the six CVEs).
Technical Notes – The exploit chain leverages CVE‑2025‑31277, CVE‑2026‑20700 (PAC bypass, zero‑day), CVE‑2025‑43529, CVE‑2025‑14174, CVE‑2025‑43510, CVE‑2025‑43520. It targets iOS 18.4‑18.7, requires minimal user interaction, and exfiltrates data within seconds. Source: Security Affairs