HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

DarkSword iOS Exploit Kit Powers Large‑Scale Infostealer Attacks on iPhone Users

A newly discovered iOS exploit kit called DarkSword is being used to deliver three malware families that steal personal data, crypto wallet credentials, and communications from iPhones running iOS 18.4‑18.7. The chain leverages six known CVEs and has been observed in campaigns by several threat actors since late 2025, posing a significant third‑party risk for organizations with BYOD or mobile‑first strategies.

LiveThreat™ Intelligence · 📅 March 19, 2026· 📰 bleepingcomputer.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
4 sector(s)
Actions
4 recommended
📰
Source
bleepingcomputer.com

DarkSword iOS Exploit Kit Powers Large‑Scale Infostealer Attacks on iPhone Users

What Happened — A newly identified iOS exploit kit dubbed “DarkSword” is being used to deliver three malware families (GHOSTBLADE, GHOSTKNIFE, GHOSTSABER) that steal personal data, cryptocurrency wallet credentials, and communications from iPhones running iOS 18.4‑18.7. The kit chains six known CVEs (CVE‑2025‑31277, CVE‑2025‑43529, CVE‑2026‑20700, CVE‑2025‑14174, CVE‑2025‑43510, CVE‑2025‑43520) and has been observed in campaigns by multiple threat actors since November 2025.

Why It Matters for TPRM

  • Mobile devices are a common entry point for supply‑chain and BYOD risks; a compromised iPhone can expose corporate credentials and crypto assets.
  • The exploit leverages publicly disclosed vulnerabilities that may not be fully patched on all managed devices, creating a window for data exfiltration.
  • Threat actors are targeting users in multiple regions and industries, increasing the likelihood of collateral impact on third‑party relationships.

Who Is Affected — Consumer iPhone users, corporate BYOD programs, and any organization that permits iOS devices to access internal resources (finance, technology, retail, etc.).

Recommended Actions — Verify that all iOS devices are running the latest patched version, deploy mobile threat‑defense solutions, monitor network traffic for GHOST* indicators, and review third‑party contracts for mobile security obligations.

Technical Notes — DarkSword exploits a sandbox‑escape, privilege‑escalation, and remote‑code‑execution chain across six CVEs, all of which have been addressed by Apple in recent releases. The malware families are JavaScript‑based, exfiltrating wallet keys, messages, photos, location data, and more. Source: BleepingComputer

📰 Original Source
https://www.bleepingcomputer.com/news/security/new-darksword-ios-exploit-used-in-infostealer-attack-on-iphones/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · PrivacyOps · CookiePLUS

Data exposure is where consent and DSAR readiness get tested.

When personal data leaks, regulators ask what consent you held and how fast you can answer a subject request. The Verisq AI Trust Operations platform, with CookiePLUS, keeps that posture audit-ready under GDPR and CCPA.

Explore the Verisq AI Trust Operations platform →