The DarkSword Leak: How a GitHub Upload Turned a State-Sponsored iPhone Exploit Into Everyone's Problem

On March 23, 2026, someone uploaded the complete source code of an iPhone exploit kit called DarkSword to GitHub [1]. The files were simple HTML and JavaScript—no compiled binaries, no specialized tools. According to iVerify co-founder Matthias Frielingsdorf, "They are way too easy to repurpose... The exploits will work out of the box. There is no iOS expertise required" [2]. An attacker could host the code on a server "in a couple minutes to hours" [2].

The leak marks the culmination of a month that has seen two separate full-chain iOS exploit kits disclosed publicly, at least 42,000 confirmed device infections, and emergency patch orders from the U.S. government—raising questions about how exploit tools built for state espionage end up in the hands of criminals, and what happens when they become available to everyone.

What DarkSword Does

DarkSword is a full-chain iOS exploit kit, meaning it can take a fully patched iPhone from initial contact to complete compromise without requiring the victim to do anything beyond visiting a webpage in Safari [3]. The entire attack is implemented in JavaScript and executes within Safari's browser engine—no app downloads, no user interaction beyond a single page visit [4].

The exploit chain uses six vulnerabilities in sequence [3]:

1. A malicious iframe loads JavaScript fingerprinting code on a compromised website
2. The code profiles the device to determine if it is a valid target
3. A JavaScriptCore JIT vulnerability (CVE-2025-43529) achieves remote code execution in the browser
4. A WebGPU sandbox escape (CVE-2025-14174) breaks out of Safari's security container
5. Kernel vulnerabilities (CVE-2025-43510, CVE-2025-43520) escalate privileges to full system access
6. A PAC bypass in dyld (CVE-2026-20700) defeats Apple's Pointer Authentication Codes, one of the company's primary hardware security controls [4]

Three of these six vulnerabilities—CVE-2026-20700, CVE-2025-43529, and CVE-2025-14174—were zero-days at the time of first exploitation, meaning Apple had no patches available when attacks began [3].

Once inside, DarkSword deploys one of three JavaScript-based payloads depending on the operator: GHOSTBLADE (an infostealer), GHOSTKNIFE, or GHOSTSABER (backdoors with command execution) [3]. The data exfiltration is extensive: emails, iCloud files, contacts, SMS messages, browsing history, cookies, cryptocurrency wallet credentials, passwords, photos, call logs, Wi-Fi passwords, location data, calendar entries, SIM information, app lists, Notes, Health data, and Telegram and WhatsApp messages [3].

The kit operates on a "hit-and-run" model. Lookout researchers described the approach: collecting and exfiltrating targeted data "within seconds or at most minutes, followed by cleanup" to minimize detection [5].

Who Was Targeted—and by Whom

Google's Threat Intelligence Group (GTIG), working alongside iVerify and Lookout, traced DarkSword activity back to at least November 2025 [3]. Three distinct groups were observed using the kit:

• UNC6353, a suspected Russian espionage group, deployed DarkSword through watering hole attacks—compromised legitimate websites—targeting users in Ukraine between November 2025 and early 2026 [3][6]
• UNC6748, linked to an unnamed commercial surveillance vendor, targeted users in Saudi Arabia via a Snapchat-themed domain in November 2025 [3]
• PARS Defense, a Turkish commercial surveillance vendor, used DarkSword between November 2025 and January 2026 against targets in Turkey and Malaysia [3]

Damon McCoy, co-director of NYU's Center for Cyber Security, told Time: "This is a pretty significant threat...quite a few people are still running this outdated version of iOS, and those people are quite vulnerable" [7].

Two Exploit Kits in One Month

DarkSword was not discovered in isolation. Two weeks earlier, on March 3, 2026, Google disclosed Coruna (also called CryptoWaters), a separate exploit kit targeting iPhones running iOS 13.0 through 17.2.1 [8]. Coruna was far more complex: five full exploit chains, 23 individual exploits, and infrastructure designed for long-term persistent surveillance of older devices [8].

iVerify described Coruna as "the first known mass exploitation of mobile phones, including iOS, by a criminal group using tools likely built by a nation-state," confirming at least 42,000 devices were infected [9]. Where Coruna targeted older iOS versions for sustained surveillance, DarkSword targeted newer versions (iOS 18.4 through 18.7) for rapid data theft—a different operational philosophy from the same general infrastructure cluster [6].

Source: GDELT Project

Data as of Mar 24, 2026CSV

The two kits share command-and-control infrastructure but were "made by entirely separate people," according to iVerify's Rocky Cole [6]. Both kits show signs of having been generated with the assistance of large language models—detailed inline comments characteristic of AI-generated code, which Lookout researcher Justin Albrecht said "lowers the barrier to entry for deploying advanced mobile exploits" [6].

Scale of Exposure

The numbers are significant. DarkSword targets iOS 18.4 through 18.7. According to Apple's own data on device adoption, roughly 15% of all iPhones are still running iOS 18 or earlier [5]. With an estimated 1.4 billion active iPhones globally, that translates to approximately 210 to 270 million vulnerable devices [1][10].

Coruna's target range—iOS 13.0 through 17.2.1—covers an additional set of older devices, though there is some overlap with users who simply have not updated in years [8].

Apple released emergency patches on March 11, 2026, addressing the vulnerabilities across iOS 15, 16, and 18 for devices that cannot run iOS 26 [2][11]. The company also recommended that users enable Lockdown Mode, a feature that restricts certain device functions to reduce the attack surface [7]. iOS 26.3 addresses all six DarkSword vulnerabilities [3].

CISA and the Federal Response

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added three of the six DarkSword CVEs to its Known Exploited Vulnerabilities catalog on March 20, 2026 [12]. Under Binding Operational Directive 22-01, all Federal Civilian Executive Branch agencies were ordered to patch affected devices by April 3, 2026 [12].

This is the second time in 2026 that CISA has issued emergency directives related to Apple vulnerabilities—the first came in February when Apple disclosed CVE-2026-20700 as an actively exploited zero-day, describing it as part of an "extremely sophisticated attack" [13].

The GitHub Leak and Its Consequences

The identity of whoever uploaded DarkSword to GitHub remains unknown. The leaker posted a newer version of the kit than what researchers had previously analyzed—suggesting access to an updated build, though whether this came from a direct participant, a customer of a surveillance vendor, or another source is unclear [1][2].

Frielingsdorf's assessment was blunt: "This is bad... I don't think that can be contained anymore. So we need to expect criminals and others to start deploying this" [2].

The Russian operators who originally deployed DarkSword had already demonstrated poor operational security. They left complete, unobfuscated code—including helpful comments explaining each component—on compromised websites where it could be copied [5]. The GitHub upload made an already leaky situation into a public one.

How DarkSword Compares to Previous Mobile Exploits

The disclosure of two iOS exploit kits in a single month is without precedent, though individual components invite comparison to earlier incidents:

• NSO Group's Pegasus spyware, first exposed publicly in 2016, similarly used zero-click exploit chains targeting iPhones, but was sold exclusively to governments for targeted surveillance at costs reportedly exceeding $500,000 per deployment. DarkSword, by contrast, is now free and public [1].
• Blastpass (2023) was a zero-click iMessage exploit discovered by Citizen Lab that Apple patched within days of disclosure. It targeted a narrow set of iOS versions and was used by NSO Group [13].
• Operation Triangulation (2023), discovered by Kaspersky, used a chain of four zero-days targeting iOS devices via iMessage. Coruna reused some of the same vulnerability classes [8].
• Android's Stagefright vulnerability (2015) affected an estimated 950 million devices through a flaw in the media processing framework. While broader in raw device count, Stagefright was a single vulnerability rather than a weaponized exploit kit with multiple payload options [10].

What distinguishes the current situation is the combination of sophistication (full-chain, zero-click), confirmed mass deployment (42,000+ infections via Coruna alone), and now unrestricted public availability.

The Disclosure Debate

The public release of DarkSword reopens a longstanding tension in security research: does publishing exploit code protect users by forcing vendors to patch, or does it endanger them by giving attackers ready-made tools?

Defenders of public disclosure argue that Apple knew about DarkSword's underlying vulnerabilities since at least late 2025, when Google reported them [6]. The gap between private notification and public patch—roughly four months—left millions of devices exposed while only state actors and surveillance vendors had access to the exploits. Under this view, public release accelerates the patch cycle and eliminates the information asymmetry between attackers and defenders.

Corellium, the security firm Apple has repeatedly sued for building iOS virtualization tools, has argued that Apple's approach to security research creates structural problems. In court filings, Corellium stated that "by requiring that security researchers use its physical development devices to the exclusion of other products... Apple is trying to exclusively control how security research is performed, and who is able to perform that research" [14]. Corellium characterized Apple's legal strategy as "an existential threat to an open and healthy security research community" [14].

The opposing view is straightforward: publishing working exploit code puts millions of users at immediate risk. Not every iPhone owner updates promptly—or can. Older hardware that cannot run iOS 26 depends on backported patches that may take weeks to deploy. The 210-270 million devices running vulnerable iOS versions represent real people whose data is now at greater risk because a working attack tool is publicly available.

Apple's Security Research Device Program, which provides vetted researchers with unlocked iPhones, represents the company's answer to criticism that its closed ecosystem hampers security research [15]. Applications for the 2026 program opened in September 2025 [15]. Critics counter that limiting access to a vetted program means Apple controls which vulnerabilities get found and when.

What Users Should Do

The immediate advice from Apple, Google, CISA, and all three research firms that disclosed DarkSword is the same: update your iPhone. Users who can run iOS 26 should install iOS 26.3 or later. Users on older hardware should install iOS 18.7.5, iOS 16.7.15, or iOS 15.8.7, depending on their device [2][11].

For users who want additional protection, Apple's Lockdown Mode restricts JavaScript execution in Safari, message attachment types, and other features that exploit kits typically target [7]. Google has added identified malicious domains to its Safe Browsing service, which provides warnings in Chrome and other browsers [7].

The Bigger Picture

The DarkSword and Coruna disclosures mark a shift in the mobile threat landscape. For years, full-chain iOS exploits were the province of well-funded intelligence agencies and surveillance vendors charging millions for access. The tools were hoarded, not shared. That model is breaking down.

Lookout's Justin Albrecht pointed to a telling detail about UNC6353's operations: "They're probably well-funded, probably well-connected, but it's confirmed that they're stealing crypto." He suggested that Russia's budget constraints from Ukraine-related sanctions may be pushing state-affiliated hackers toward cryptocurrency theft as operational funding [6].

Google's threat intelligence team framed the broader concern: "The use of both DarkSword and Coruna by a variety of actors demonstrates the ongoing risk of exploit proliferation across actors of varying geography and motivation" [3].

The combination of AI-assisted exploit development, a secondary market where government tools leak to criminal groups, and a public GitHub upload that makes sophisticated attack code available to anyone with a web browser suggests that the economics of mobile exploitation are shifting. The question is no longer whether state-grade exploits will reach the broader criminal ecosystem, but how quickly—and whether Apple's patch cycle can keep pace.