GHOSTSABER
GhostSaber is a JavaScript-based backdoor/implant associated with the DarkSword iOS full-chain exploit framework. Following successful DarkSword compromise of iPhones running affected iOS 18.4 through 18.7 versions, GhostSaber was deployed as one of three post-exploitation malware families alongside GhostBlade and GhostKnife. High-confidence reporting describes GhostSaber as capable of executing JavaScript code and stealing victim data, and as an advanced implant supporting persistent surveillance and data exfiltration. Reported functionality includes device and account enumeration, file listing, file exfiltration, arbitrary SQLite query execution, photo thumbnail uploads, and support for more than 15 distinct C2 commands. Across DarkSword-related reporting, the associated malware families are described as exfiltrating data such as iMessages, cryptocurrency wallet data, location history, and saved Wi-Fi passwords. GhostSaber has been linked to campaigns using DarkSword conducted by the Turkish commercial surveillance vendor PARS Defense, including targeting in Turkey and Malaysia. It is delivered post-compromise rather than as an initial infection vector; the initial access is provided by the DarkSword exploit chain, which has been observed in targeted campaigns by commercial surveillance vendors and suspected state-sponsored actors.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
7 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Additionally, two vulnerabilities and a multi-component exploit kit were directly connected to active malware campaigns, including a sophisticated iOS full-chain exploit called DarkSword that delivered the GHOSTKNIFE, GHOSTSABER, and GHOSTBLADE payloads. | Additionally, two vulnerabilities and a multi-component exploit kit were directly connected to active malware campaigns, including a sophisticated iOS full-chain exploit called DarkSword that delivered the GHOSTKNIFE, GHOSTSABER, and GHOSTBLADE payloads... 28 CVE-2026-32183 99 Apple iOS / iPadOS (DarkSword Chain) CWE-119 – Memory Corruption No
...an iOS exploit kit codenamed DarkSword that leverages these shortcomings, along with three bugs, to deploy various malware families like GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER for data theft. | CVE-2025-31277 (CVSS score: 8.8) - A vulnerability in Apple WebKit that could result in memory corruption when processing maliciously crafted web content. (Fixed in July 2025)
...an iOS exploit kit codenamed DarkSword that leverages these shortcomings, along with three bugs, to deploy various malware families like GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER for data theft. | CVE-2025-43510 (CVSS score: 7.8) - A memory corruption vulnerability in Apple's kernel component that could allow a malicious application to cause unexpected changes in memory shared between processes. (Fixed in December 2025)
CVE-2025-43520 (CVSS score: 8.8) - A memory corruption vulnerability in Apple's kernel component that could allow a malicious application to cause unexpected system termination or write kernel memory. (Fixed in December 2025) | ...an iOS exploit kit codenamed DarkSword that leverages these shortcomings, along with three bugs, to deploy various malware families like GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER for data theft.
DarkSword is an exploit kit that targets iPhones running iOS versions 18.4 through 18.7... The kit leverages six vulnerabilities, CVE-2025-31277, CVE-2025-43529, CVE-2026-20700, CVE-2025-14174, CVE-2025-43510, and CVE-2025-43520.
DarkSword is an exploit kit that targets iPhones running iOS versions 18.4 through 18.7... The kit leverages six vulnerabilities, CVE-2025-31277, CVE-2025-43529, CVE-2026-20700, CVE-2025-14174, CVE-2025-43510, and CVE-2025-43520.
DarkSword is an exploit kit that targets iPhones running iOS versions 18.4 through 18.7... The kit leverages six vulnerabilities, CVE-2025-31277, CVE-2025-43529, CVE-2026-20700, CVE-2025-14174, CVE-2025-43510, and CVE-2025-43520.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Depending on the threat actor, a successful compromise deployed distinct malware families we track as GHOSTBLADE, GHOSTKNIFE, or GHOSTSABER.
Depending on the threat actor, a successful compromise deployed distinct malware families we track as GHOSTBLADE, GHOSTKNIFE, or GHOSTSABER.
Depending on the threat actor, a successful compromise deployed distinct malware families we track as GHOSTBLADE, GHOSTKNIFE, or GHOSTSABER.
Techniques & procedures
14 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques...a sophisticated iOS full-chain exploit called DarkSword that delivered the GHOSTKNIFE, GHOSTSABER, and GHOSTBLADE payloads.
By chaining together six different zero-day vulnerabilities, these actors were able to fully compromise devices running iOS 18.4 through 18.7.
Execution
2 techniquesResearchers have observed three malware families associated with DarkSword attacks. These include GhostBlade, an aggressive JavaScript-based infostealer; GhostKnife, a backdoor; and GhostSaber, a JavaScript malware capable of executing code and stealing data.
CVE-2025-31277 ... A vulnerability in Apple WebKit that could result in memory corruption when processing maliciously crafted web content.
Privilege Escalation
2 techniquesDarkSword targets iOS 18.4–18.7, leveraging six vulnerabilities to achieve: Remote Code Execution (RCE) Sandbox Escape Kernel-Level Privilege Escalation
DarkSword targets iOS 18.4–18.7, leveraging six vulnerabilities to achieve: Remote Code Execution (RCE) Sandbox Escape Kernel-Level Privilege Escalation
Stealth
2 techniquesthis campaign was carried out with more attention to OPSEC, with obfuscation applied to the exploit loader and some of the exploit stages, and the use of ECDH and AES to encrypt exploits between the server and the victim
It collects data quickly (within seconds to minutes) before removing itself from the target device.
Discovery
1 techniquesupports over 15 distinct C2 commands, including device enumeration, file exfiltration
Collection
3 techniquesResearchers have observed three malware families associated with DarkSword attacks. These include GhostBlade, an aggressive JavaScript-based infostealer; GhostKnife, a backdoor; and GhostSaber, a JavaScript malware capable of executing code and stealing data.
GHOSTKNIFE... capable of exfiltrating signed-in accounts, messages, browser data, location history, and audio recordings from the device’s microphone
The orchestrator injects a JavaScript engine into privileged iOS services such as App Access, Wi‑Fi, Springboard, Keychain, and iCloud... Saved passwords... WhatsApp and Telegram databases... Cryptocurrency wallets
Command and Control
1 techniqueIt communicates with its command-and-control (C2) server [[URL_7219874f_16]] over a custom binary protocol encrypted with ECDH and AES
Exfiltration
1 techniqueGHOSTSABER: Advanced implant supporting persistent surveillance and data exfiltration
IOCs tracked for this family
3 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Other indicator types observed in public reporting.
Recent activity
15 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A final-stage malware family deployed after successful exploitation via DarkSword on iOS devices.
A payload delivered by the DarkSword iOS full-chain exploit in an active malware campaign.
A JavaScript malware family capable of executing code and stealing data, observed in attacks associated with the DarkSword exploit kit.
JavaScript malware capable of executing code and stealing data on compromised iPhones.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.