{"id":11454,"date":"2026-03-19T10:03:35","date_gmt":"2026-03-19T10:03:35","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/03\/19\/new-ios-exploit-with-advanced-iphone-hacking-tools-attacking-users-to-steal-personal-data\/"},"modified":"2026-03-19T10:03:35","modified_gmt":"2026-03-19T10:03:35","slug":"new-ios-exploit-with-advanced-iphone-hacking-tools-attacking-users-to-steal-personal-data","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/03\/19\/new-ios-exploit-with-advanced-iphone-hacking-tools-attacking-users-to-steal-personal-data\/","title":{"rendered":"New iOS Exploit With Advanced iPhone Hacking Tools Attacking Users to Steal Personal Data"},"content":{"rendered":"

New iOS Exploit With Advanced iPhone Hacking Tools Attacking Users to Steal Personal Data
\n \t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

A sophisticated full-chain iOS exploit kit dubbed\u00a0DarkSword, actively deployed by multiple commercial surveillance vendors and state-sponsored threat actors since at least November 2025 to steal sensitive personal data from iPhone users across four countries.<\/p>\n

DarkSword is a full-chain iOS exploit that chains six distinct vulnerabilities, four of which were leveraged as zero-days, to achieve complete device compromise on iPhones running iOS versions 18.4 through 18.7.<\/p>\n

The exploit chain operates entirely in JavaScript, allowing attackers to bypass Apple\u2019s Page Protection Layer (PPL) and Secure Page Table Monitor (SPTM) mitigations that would otherwise block unsigned native binary code from executing.<\/p>\n

GTIG, iVerify, and Lookout analyzed the exploit chain\u2019s name based on toolmarks embedded in recovered payloads and have confirmed its use in targeted campaigns against victims in Saudi Arabia, Turkey, Malaysia, and Ukraine.<\/p>\n

Six-Vulnerability iOS Exploit Chain<\/strong><\/h2>\n

The six-vulnerability chain begins with a remote code execution (RCE) exploit targeting JavaScriptCore, Apple\u2019s JavaScript engine used in Safari and WebKit, and progresses through two sandbox escape stages, a local privilege escalation, and a final payload deployment that grants attackers full kernel-level privileges.<\/p>\n

CVE-2026-20700, a Pointer Authentication Code (PAC) bypass in Apple\u2019s\u00a0dyld<\/code>\u00a0dynamic linker, was chained directly with both RCE exploits and patched only with iOS 26.3 after GTIG reported it to Apple<\/p>\n

\n\n\n\n\n\n\n\n\n\n\n
CVE<\/th>\nExploit Module<\/th>\nVulnerability Type<\/th>\nAffected Component<\/th>\nZero-Day<\/th>\nPatched In<\/th>\n<\/tr>\n<\/thead>\n
CVE-2025-31277<\/td>\nrce_module.js<\/code><\/td>\nJIT optimization \/ type confusion<\/td>\nJavaScriptCore (WebKit)<\/td>\nNo<\/td>\niOS 18.6<\/td>\n<\/tr>\n
CVE-2025-43529<\/td>\n\nrce_worker_18.6.js<\/code>, rce_worker_18.7.js<\/code>\n<\/td>\nUse-after-free \/ garbage collection bug in DFG JIT layer<\/td>\nJavaScriptCore (WebKit)<\/td>\nYes<\/td>\niOS 18.7.3, 26.2 \u200b<\/td>\n<\/tr>\n
CVE-2026-20700<\/td>\n\nrce_worker_18.4.js<\/code>, rce_worker_18.6.js<\/code>, rce_worker_18.7.js<\/code>\n<\/td>\nMemory corruption \/ user-mode PAC bypass<\/td>\n\ndyld<\/code> (Dynamic Linker)<\/td>\nYes<\/td>\niOS 26.3 \u200b<\/td>\n<\/tr>\n
CVE-2025-14174<\/td>\n\nsbox0_main_18.4.js<\/code>, sbx0_main.js<\/code>\n<\/td>\nOut-of-bounds memory access in WebGL operation<\/td>\nANGLE (GPU process \/ WebKit)<\/td>\nYes<\/td>\niOS 18.7.3, 26.2 \u200b<\/td>\n<\/tr>\n
CVE-2025-43510<\/td>\nsbx1_main.js<\/code><\/td>\nMemory management \/ copy-on-write bug<\/td>\nXNU Kernel<\/td>\nNo<\/td>\niOS 18.7.2, 26.1<\/td>\n<\/tr>\n
CVE-2025-43520<\/td>\npe_main.js<\/code><\/td>\nKernel-mode race condition in VFS implementation<\/td>\nXNU Kernel (Virtual Filesystem)<\/td>\nNo<\/td>\niOS 18.7.2, 26.1<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n

GTIG identified three distinct post-exploitation malware families deployed after a successful DarkSword compromise, each tailored to specific threat actor needs.<\/p>\n

\n
\"\"
Attack Chain (Source: Google)<\/figcaption><\/figure>\n<\/div>\n

GHOSTKNIFE, deployed by threat cluster UNC6748 via a Snapchat-themed phishing site (snapshare[.]chat<\/code>), is a JavaScript backdoor capable of exfiltrating signed-in accounts, messages, browser data, location history, and audio recordings from the device\u2019s microphone.<\/p>\n

It communicates with its command-and-control (C2) server<\/a> over a custom binary protocol encrypted with ECDH and AES, and actively deletes crash logs from the device to evade forensic detection.<\/p>\n

GHOSTSABER, deployed by Turkish commercial surveillance vendor PARS Defense in campaigns targeting Turkey and Malaysia, supports over 15 distinct C2 commands, including device enumeration, file exfiltration, arbitrary SQLite query execution, and photo thumbnail uploads.<\/p>\n

Several GHOSTSABER commands, including audio recording and real-time geolocation, are not yet fully implemented in the JavaScript implant itself, suggesting follow-on binary modules are downloaded at runtime from the C2 server.<\/p>\n

GHOSTBLADE, attributed to suspected Russian espionage actor UNC6353, functions as a comprehensive data miner exfiltrating iMessages, Telegram, and WhatsApp data, cryptocurrency wallet data, Safari history and cookies, Health databases, device keychains, location history, and saved Wi-Fi passwords.<\/p>\n

Unlike the other two families, GHOSTBLADE does not operate persistently or support interactive backdoor commands, but its breadth of data collection makes it highly valuable for intelligence-gathering operations. Notably, GHOSTBLADE\u2019s library code contains a reference to a function named startSandworm()<\/code> that remains unimplemented \u2014 possibly a codename for a separate, forthcoming exploit.<\/p>\n

UNC6748 delivered DarkSword through a fraudulent Snapchat lookalike site, using obfuscated JavaScript loaders with anti-debugging protections and session storage fingerprinting to avoid re-infecting the same victims.<\/p>\n

PARS Defense upgraded its delivery mechanism to encrypt exploit stages using ECDH key exchange between the attacker infrastructure and the victim device, demonstrating heightened operational security awareness.<\/p>\n

UNC6353 \u2014 a suspected Russian espionage group previously linked to the Coruna iOS exploit kit, embedded malicious\u00a0<script><\/code>\u00a0tags into compromised Ukrainian websites, loading DarkSword silently via hidden iFrames.<\/p>\n

Tellingly, a comment in UNC6353\u2019s source code was written in Russian, and GTIG has been working with CERT-UA to mitigate this ongoing campaign active through March 2026.<\/p>\n

GTIG reported all<\/a> DarkSword vulnerabilities to Apple in late 2025, and all six CVEs have since been patched the majority prior to, and the remainder with the release of\u00a0iOS 26.3.<\/p>\n

\"\"
Attack Timeline (Source: Google)<\/figcaption><\/figure>\n

Google has also added all identified DarkSword delivery domains to Safe Browsing. Users are strongly urged to update to the latest version of iOS immediately; if updates are not available, enabling\u00a0Lockdown Mode\u00a0is recommended as an additional safeguard against this class of exploit.<\/p>\n

Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n

The post New iOS Exploit With Advanced iPhone Hacking Tools Attacking Users to Steal Personal Data<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n

\t

\n
<\/BR>
\n Guru Baran
\n \t

\n
<\/BR>
\nGo to cyber-security-news<\/a>
\n \t

\n
<\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"

New iOS Exploit With Advanced iPhone Hacking Tools Attacking Users to Steal Personal Data A sophisticated full-chain iOS exploit kit dubbed\u00a0DarkSword, actively deployed by multiple commercial surveillance vendors and state-sponsored threat actors since at least November 2025 to steal sensitive personal data from iPhone users across four countries. DarkSword is a full-chain iOS exploit that […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1636,129,63],"tags":[130],"class_list":["post-11454","post","type-post","status-publish","format-standard","hentry","category-cyber-attack-news","category-cyber-security","category-cyber-security-news","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/11454"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=11454"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/11454\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=11454"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=11454"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=11454"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}