Date: 03/19/2026
Severity: High
Summary
DarkSword is a sophisticated iOS full-chain exploit leveraging multiple zero-day vulnerabilities to fully compromise devices running iOS 18.4 to 18.7. Since late 2025, it has been used by commercial surveillance vendors and state-sponsored actors across campaigns targeting regions including Saudi Arabia, Turkey, Malaysia, and Ukraine. The exploit deploys malware families such as GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER, which function as backdoor implants for persistent access, highlighting its adaptability and widespread adoption. Its proliferation across different threat actors reflects an active market for advanced exploit capabilities, though the vulnerabilities have since been patched in newer iOS versions.
Indicators of Compromise (IOC) List
URLs/Domains | snapshare.chat sahibndn.io e5.malaymoil.com static.cdncounter.net sqwas.shapelie.com |
IP Address | 62.72.21.10 72.60.98.48 |
Hash | 2e5a56beb63f21d9347310412ae6efb29fd3db2d3a3fc0798865a29a3c578d35
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | domainname like "sahibndn.io" or siteurl like "sahibndn.io" or url like "sahibndn.io" or domainname like "e5.malaymoil.com" or siteurl like "e5.malaymoil.com" or url like "e5.malaymoil.com" or domainname like "static.cdncounter.net" or siteurl like "static.cdncounter.net" or url like "static.cdncounter.net" or domainname like "snapshare.chat" or siteurl like "snapshare.chat" or url like "snapshare.chat" or domainname like "sqwas.shapelie.com" or siteurl like "sqwas.shapelie.com" or url like "sqwas.shapelie.com" |
Detection Query 2 : | dstipaddress IN ("62.72.21.10","72.60.98.48") or srcipaddress IN ("62.72.21.10","72.60.98.48") |
Detection Query 3 : | sha256hash IN ("2e5a56beb63f21d9347310412ae6efb29fd3db2d3a3fc0798865a29a3c578d35")
|
Reference:
https://cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain