4 malware familiesExploits CVEs in the wild

UNC6748

Also known asUNC6748

UNC6748 is a threat actor tracked by Google Threat Intelligence Group that has been linked to use of the DarkSword iOS exploit kit since at least November 2025. GTIG first observed UNC6748 using DarkSword via a Snapchat-themed decoy/phishing site, including snapshare[.]chat, to target users in Saudi Arabia. The site impersonated Snapchat and used hidden code to automatically launch the exploit. UNC6748 is described in the reporting as a user of DarkSword and as a customer of Turkish commercial surveillance vendor PARS Defense. DarkSword activity associated with UNC6748 targeted iPhones running iOS 18.4 through 18.7. The exploit chain used six vulnerabilities to achieve full device compromise. In UNC6748 intrusions, the post-exploitation payload was GHOSTKNIFE, a JavaScript backdoor. Reported GHOSTKNIFE capabilities include exfiltration of signed-in account data, messages, browser data, location history, and audio recordings from the device microphone. Additional reporting states GHOSTKNIFE communicates with command-and-control using a custom binary protocol encrypted with ECDH and AES and deletes crash logs to hinder forensic detection. Known alias in the provided content: unc6748. The content also distinguishes UNC6748 from PARS Defense and from UNC6353, a suspected Russian espionage group.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Where they target

Geographies tied to known operations.

🇸🇦 Saudi Arabia

MITRE ATT&CK

Tradecraft

20 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

9 of 15 tactics23 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0001

Initial Access

3 techniques

T1189×6

Drive-by Compromise

T1190×5

Exploit Public-Facing Application

T1566

Phishing

T1566.002

Spearphishing Link

TA0002

Execution

2 techniques

T1059

Command and Scripting Interpreter

T1059.007×2

JavaScript

T1203×3

Exploitation for Client Execution

TA0004

Privilege Escalation

2 techniques

T1068

Exploitation for Privilege Escalation

T1611×3

Escape to Host

TA0005

Stealth

3 techniques

T1027

Obfuscated Files or Information

T1070×2

Indicator Removal

T1497

Virtualization/Sandbox Evasion

T1497.001

System Checks

TA0006

Credential Access

1 technique

T1649×2

Steal or Forge Authentication Certificates

TA0007

Discovery

1 technique

T1497

Virtualization/Sandbox Evasion

T1497.001

System Checks

TA0009

Collection

4 techniques

T1005×3

Data from Local System

T1123

Audio Capture

T1185

Browser Session Hijacking

T1213

Data from Information Repositories

TA0011

Command and Control

2 techniques

T1071×2

Application Layer Protocol

T1573

Encrypted Channel

TA0010

Exfiltration

1 technique

T1041×2

Exfiltration Over C2 Channel

ARSENAL

Associated malware families

4 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

GHOSTKNIFEDepending on the threat actor, a successful compromise deployed distinct malware families we track as GHOSTBLADE, GHOSTKNIFE, or GHOSTSABER.3Apr 9, 2026

DarkswordA major new cybersecurity threat has emerged for iPhone users worldwide, as researchers have uncovered a new hacking tool called DarkSword. According to a joint investigation by Google, Lookout, and iVerify, hundreds of millions of people could be at risk if they have not updated their software recently.2Mar 24, 2026

GHOSTBLADEDepending on the threat actor, a successful compromise deployed distinct malware families we track as GHOSTBLADE, GHOSTKNIFE, or GHOSTSABER.2Apr 9, 2026

GHOSTSABERDepending on the threat actor, a successful compromise deployed distinct malware families we track as GHOSTBLADE, GHOSTKNIFE, or GHOSTSABER.2Apr 9, 2026

WEAPONIZED

Associated vulnerabilities

6 CVEs this actor has used in observed campaigns. 6 of them exploited in the wild.

CVE-2025-14174Out-of-bounds memory access in ANGLE in Google Chrome on MacIn the wildEvidence5

DarkSword is an exploit kit that targets iPhones running iOS versions 18.4 through 18.7... The kit leverages six vulnerabilities, CVE-2025-31277, CVE-2025-43529, CVE-2026-20700, CVE-2025-14174, CVE-2025-43510, and CVE-2025-43520.

CVE-2025-31277Memory corruption in Apple WebKit/JavaScriptCore web content processingIn the wildEvidence5

CVE-2025-43510Improper locking copy-on-write memory corruption in Apple XNU kernelIn the wildEvidence5

CVE-2025-43520Apple XNU VFS kernel race condition privilege escalationIn the wildEvidence5

CVE-2025-43529Use-after-free in Apple JavaScriptCore/WebKit leading to arbitrary code executionIn the wildEvidence5

1 more CVE tied to this actor tracked in Mallory.

IOCS

Observables

1 indicator attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

1 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

8 SOURCESView more in app

ghacksNews

Apr 2, 2026

Apple Releases iOS 18.7.7 Update to Extend DarkSword Exploit Protection to More iPhones and iPads - gHacks Tech News

Associated with use of the DarkSword exploit kit in attacks against iPhones and iPads running vulnerable iOS 18 versions.

bleeping computerNews

Apr 1, 2026

Apple expands iOS 18 updates to more iPhones to block DarkSword attacks

Used the DarkSword iOS exploit kit in attacks against iPhones running vulnerable iOS 18 versions.

hackreadNews

Mar 24, 2026

DarkSword iPhone Exploit Leaked Online, Hundreds of Millions at Risk

Group associated with DarkSword delivery through a fake Snapchat-themed website targeting users in Saudi Arabia and other countries.

bleeping computerNews

Mar 23, 2026

CISA orders feds to patch DarkSword iOS flaws exploited attacks

Linked to use of the DarkSword iOS exploit kit in attacks involving cryptocurrency theft and surveillance activity.

+4 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping20

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal4

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs6

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables1

Domains, IPs, and hashes tied to this actor, refreshed continuously.