Google warns snooping malware is planting iPhone info‑stealing code now.

Google’s joint analysis with iVerify and Lookout shows that the DarkSword exploit kit has been active on iPhones since at least November 2025, targeting devices running iOS 18.4‑18.7. The kit chains together six distinct CVEs—CVE‑2025‑31277, CVE‑2025‑43529, CVE‑2026‑20700, CVE‑2025‑14174, CVE‑2025‑43510 and CVE‑2025‑43520—to bypass Apple’s hardened defenses and install three separate backdoors that siphon messages, recordings, location history, signed‑in accounts and even cryptocurrency wallet credentials. All six vulnerabilities have been patched, and the researchers stress that users must upgrade to the latest iOS release to close the attack surface (The Register).

The exploitation chain begins when a victim clicks a malicious link, prompting the browser to trigger either CVE‑2025‑31277 or CVE‑2025‑43529, depending on the OS version. Those bugs grant arbitrary memory read/write primitives, which the attackers then use to subvert Trusted Path Read‑Only (TPRO) and Pointer Authentication Code (PAC) protections via CVE‑2026‑20700. This maneuver sidesteps the SPRR and JIT‑Cage mitigations, allowing code execution inside the WebContent process, according to iVerify’s Matthias Frielingsdorf and Mateusz Krzywicki. From there the exploit pivots to the GPU process by exploiting an out‑of‑bounds write in the Angle library (CVE‑2025‑14174) and repeats the PAC bypass, gaining full control of the GPU’s memory space.

With GPU control secured, the attackers move laterally to the XNU kernel by abusing a Copy‑On‑Write flaw in the AppleM2ScalerCSCDriver (CVE‑2025‑43510). This grants arbitrary memory read/write and function‑call primitives in the mediaplaybackd daemon via exposed XPC interfaces. The final step leverages CVE‑2025‑43520 to elevate kernel privileges and inject in‑memory JavaScript implants across system processes, enabling the exfiltration of the targeted data (The Register). The multi‑stage approach demonstrates a sophisticated understanding of Apple’s mitigation stack, something typically associated with nation‑state actors.

Google’s report identifies three distinct threat groups already using DarkSword, while warning that additional commercial surveillance vendors may have adopted the kit. One cluster, labeled UNC6748, operated a Snapchat‑styled site (snapshare.chat) to lure Saudi Arabian users throughout November 2025. The same group that previously employed the Coruna exploit framework—UNC6353, a suspected Russian espionage crew—has also been observed reusing DarkSword in watering‑hole campaigns aimed at Ukrainian targets (The Register). The reuse of a single exploit chain by multiple actors underscores a market for “plug‑and‑play” iOS spyware, where vendors can rent or purchase a ready‑made kit rather than develop bespoke zero‑day chains.

Apple has not commented on the findings, and the company’s official response remains unknown (The Register). Nonetheless, the rapid patching of all six CVEs suggests that Apple’s internal security response was swift once the vulnerabilities were disclosed. Security analysts caution that the window between discovery and patch deployment is critical; users who delayed updates between November 2025 and the March 2026 patches were potentially exposed to prolonged data theft. The episode also raises broader concerns about the commoditization of iOS exploits, a trend that could pressure Apple to further harden its platform and accelerate its bug‑bounty programs.

For consumers, the immediate takeaway is to ensure their iPhones run the latest iOS version and to avoid clicking unknown links, especially on sites with suspicious branding. For enterprises, the incident highlights the need for mobile threat‑detection solutions that can flag anomalous network traffic and sandboxed process behavior, as recommended by Lookout’s mobile security suite. As Google, iVerify and Lookout continue to monitor the threat landscape, the DarkSword case serves as a reminder that even the most tightly secured mobile ecosystems remain vulnerable to coordinated, multi‑stage exploit kits.