Netcrook Logo
👤 LOGICFALCON
🗓️ 19 Mar 2026   🌍 Middle-East

Inside “DarkSword”: The Stealthy JavaScript Hackers Slicing Through iPhones Worldwide

An unprecedented iOS exploit chain is enabling hackers to steal data from Apple devices using advanced, browser-based attacks.

It started with a Snapchat link - a click, a moment’s curiosity, and an iPhone compromised. Behind the scenes, a new breed of cyberattack was unfolding. “DarkSword,” a cutting-edge exploit chain, has quietly sliced through Apple’s latest defenses, leaving users and experts stunned by its sophistication and scale. As threat actors from espionage groups to commercial surveillance vendors seize on this weapon, the line between web browsing and device takeover has never been thinner.

The Anatomy of a Modern Mobile Heist

Unlike yesterday’s malware, DarkSword is built for the digital age - weaponizing JavaScript to slip past traditional security measures. The campaign was first uncovered by Google’s Threat Intelligence Group, who traced its roots to November 2025. Hackers leveraged a six-step vulnerability chain, starting with flaws in WebKit (the browser engine powering Safari) and ending with total device takeover via kernel bugs.

What sets DarkSword apart is its delivery: victims are lured by phishing links (sometimes disguised as Snapchat invites), or infected by simply visiting compromised websites. The entire attack unfolds within the browser, making detection nearly impossible for users and many security tools.

Three main adversary groups have been identified. In Saudi Arabia, the UNC6748 group used a fake Snapchat sharing site to deliver the GHOSTKNIFE spyware, which pilfers messages, browser data, and even records audio. Turkish surveillance vendor PARS Defense targeted users in Turkey and Malaysia, deploying GHOSTSABER - a backdoor with capabilities from file theft to remote command execution. Meanwhile, a Russian-linked operation, UNC6353, embedded the GHOSTBLADE data miner in Ukrainian websites, scooping up messages, crypto wallets, and hidden files.

Each actor tweaked the chain for their targets, but the goal was the same: silent, deep access to private data. The JavaScript-only approach not only makes the attack more flexible but also harder to trace, since it often leaves fewer forensic breadcrumbs than traditional malware.

Patch Fast, Stay Vigilant

Apple has since patched all known vulnerabilities in iOS 26.3, but the speed and creativity of DarkSword’s operators signal a new era for mobile threats. Security experts recommend immediate updates and, for those at higher risk, enabling Apple’s Lockdown Mode to block malicious scripts. As browser-based exploits grow more sophisticated, the boundary between web and device blurs - leaving users to wonder what’s lurking behind the next innocuous link.

WIKICROOK

  • Full: Full Motion Session Recording captures a video-like replay of all user actions during a computer session, offering detailed insight for security and auditing.
  • JavaScript: JavaScript is the main programming language for web browsers, enabling interactive websites but also posing potential security risks if misused.
  • Zero: A zero-day vulnerability is a hidden security flaw unknown to the software maker, with no fix available, making it highly valuable and dangerous to attackers.
  • Command: A command is an instruction sent to a device or software, often by a C2 server, directing it to perform specific actions, sometimes for malicious purposes.
  • Watering: Watering is when attackers compromise trusted websites to infect or spy on specific groups by targeting sites they frequently visit.
DarkSword iOS exploit JavaScript hacking
LOGICFALCON LOGICFALCON
Log Intelligence Investigator
← Back to news