Security researchers are once again confirming what many of us in the jailbreak and security community have been saying for years: once a powerful exploit chain exists, it rarely stays in one place for long.
A newly documented attack framework, dubbed the DarkSword exploit, has been observed targeting iPhones running iOS 18.4 up to iOS 18.7.
According to Google’s Threat Intelligence Group (GTIG), this is not just a theoretical chain. It has already been observed in the wild attacking iPhone users through spyware infected websites.
From Coruna Exploit to DarkSword
Earlier this month, iVerify detailed an exploit toolkit known as Coruna with over 23 exploits inside of it, which already showed how sophisticated iOS exploitation had become.
That exploit toolkit included dozens of vulnerabilities and multiple full chains affecting a wide range of iOS versions and has already been used in the community to develop the Coruna tweak injector and will possibly get us an updated Dopamine jailbreak up to iOS 17.2.1.
DarkSword appears to be the next step in that evolution. It was also analyzed by iVerify in an article published today.
What stands out is not just the technical capability, but how quickly such tooling is reused. Instead of a single group holding onto it, the same exploit chain is now being leveraged by different actors for completely different purposes. It was clear that such a big spyware framework like Coruna won’t only be used by the jailbreak community…
A Fully JavaScript-Based Attack Chain (WebKit)
One of the most interesting technical aspects of DarkSword is its heavy reliance on JavaScript. This means no computer is needed, which is useful for jailbreak purposes but also makes possible spyware so much easy to infect our devices.
Traditionally, iOS exploit chains depend on a mix of native code execution and memory corruption techniques. In this case, the entire chain operates through JavaScript, from initial compromise all the way to kernel-level access.
That has important implications:
- It avoids triggering certain low-level protections built into iOS, bypasses CodeSign completely, there is no IPA to sideload with Sideloadly or anything else.
- It reduces the need for dropping obvious binaries onto the device, you won’t even know accessing that odd movies website in Safari got you pwned.
In simple terms, the attacker does not need to rely on traditional payload delivery methods like IPA applications or USB connection hacks via libimobiledevice. Everything starts in the browser and escalates from there, like WebKit jailbreaks.
How the Infection Happens
The delivery methods used in these campaigns are fairly standard, but still very effective.
Researchers observed two primary approaches:
- Phishing pages disguised as legitimate platforms, including social media themes
- Compromised websites used as watering holes
The worrying part is how little user interaction is required. In many cases, simply visiting a malicious page is enough. There is no need to install anything or tap a suspicious download prompt. It’s not exactly a 0 click, you still need to visit the pwned page but after that, nothing more.
Breaking Out of iOS Protections
After the initial browser compromise, the chain moves through several stages:
- Exploiting WebKit to gain code execution
- Escaping the browser sandbox
- Pivoting into other system processes, including GPU-related components
- Reaching the kernel for full device control
By the time the final stage is reached, the attacker effectively owns the device and can get anything from it, photos, contacts, messages, your location, whatever.
Another important detail is how the same exploit chain is being reused in different operations. At least three separate campaigns have been identified, each with its own objectives:
- Surveillance-focused deployments targeting individuals
- Data harvesting operations aimed at large-scale information collection
- Credential and financial data theft
Even though the payloads differ, the underlying exploit remains the same. This reinforces the idea that DarkSword is being distributed as a tool rather than used exclusively by its creators. Some of these attacks beacon to Russia.
Who Is Being Targeted
The attacks have been observed affecting users in several regions, including parts of Europe, the Middle East, and Asia.
This is not a mass consumer malware campaign in the traditional sense. It appears more targeted, likely focusing on individuals of interest such as journalists, activists, or high-value targets.
That said, once tools like this spread, the barrier to entry drops. What starts as targeted espionage can easily evolve into broader abuse.
Apple Patches Are Out, But Not Everyone Is Safe
Apple has already addressed the vulnerabilities used in this chain, with fixes rolled out in newer iOS updates.
However, devices running older builds, especially anything around iOS 18.7.x or below, may still be vulnerable to parts of the chain if not fully updated.
What You Should Do Right Now
If you are running an affected iOS version, updating should be your top priority, especially if you don’t care about jailbreaking.
For users who cannot update immediately, enabling Lockdown Mode can significantly reduce the attack surface, especially against browser-based exploits like this one.
It is not a perfect solution, but it does block many of the techniques used in chains like DarkSword.
Final Thoughts
What makes DarkSword particularly concerning is not just its technical depth, but how quickly it spread across different threat actors.
We are seeing a shift where advanced iOS exploitation is becoming more modular and more accessible to groups that did not develop it themselves.
For the jailbreak and security community, this confirms something we’ve known for a while: the same classes of vulnerabilities that enable jailbreaks can also be weaponized very quickly once discovered.
More iDevice Central Guides
- iOS 17 Jailbreak RELEASED! How to Jailbreak iOS 17 with PaleRa1n
- How to Jailbreak iOS 18.0 – iOS 18.2.1 / iOS 18.3 With Tweaks
- Download iRemovalRa1n Jailbreak (CheckRa1n for Windows)
- Dopamine Jailbreak (Fugu15 Max) Release Is Coming Soon for iOS 15.0 – 15.4.1 A12+
- Cowabunga Lite For iOS 16.2 – 16.4 Released in Beta! Install Tweaks and Themes Without Jailbreak
- Fugu15 Max Jailbreak: All Confirmed Working Rootless Tweaks List
- iOS 14.0 – 16.1.2 – All MacDirtyCow Tools IPAs
- iOS Jailbreak Tools for All iOS Versions
