GHOSTKNIFE
GhostKnife is a JavaScript backdoor malware family delivered as a post-exploitation payload after successful compromise via the DarkSword iOS full-chain exploit. GTIG identified it as one of three malware families associated with DarkSword, alongside GhostBlade and GhostSaber. The malware has been observed in campaigns active since at least November 2025 against iOS devices running affected versions in the 18.4 through 18.7 range, with targeting reported in Saudi Arabia, Turkey, Malaysia, and Ukraine.
High-confidence reporting describes GhostKnife as an intermediate payload or backdoor that enables data collection and command execution. It is capable of exfiltrating large amounts of victim data, including signed-in account information, messages, browser data, location history, and audio recordings from the device microphone. Broader DarkSword reporting also states that the associated post-exploitation malware families act as dataminers and backdoors and have exfiltrated data such as iMessages, cryptocurrency wallet data, location history, and saved Wi-Fi passwords.
GhostKnife was specifically reported as deployed by threat cluster UNC6748 via a Snapchat-themed phishing site, snapshare[.]chat. More generally, DarkSword and its payloads have been linked to multiple actors, including commercial surveillance vendors and suspected state-sponsored operators; reporting also names PARS Defense and UNC6353 as DarkSword users, although the provided content does not directly attribute GhostKnife to those actors. The malware is associated with data theft and surveillance-oriented post-compromise activity on Apple iOS devices. The provided content does not include standalone file hashes or additional GhostKnife-specific network indicators beyond snapshare[.]chat as related delivery infrastructure.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
7 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Additionally, two vulnerabilities and a multi-component exploit kit were directly connected to active malware campaigns, including a sophisticated iOS full-chain exploit called DarkSword that delivered the GHOSTKNIFE, GHOSTSABER, and GHOSTBLADE payloads. | Additionally, two vulnerabilities and a multi-component exploit kit were directly connected to active malware campaigns, including a sophisticated iOS full-chain exploit called DarkSword that delivered the GHOSTKNIFE, GHOSTSABER, and GHOSTBLADE payloads... 28 CVE-2026-32183 99 Apple iOS / iPadOS (DarkSword Chain) CWE-119 – Memory Corruption No
...an iOS exploit kit codenamed DarkSword that leverages these shortcomings, along with three bugs, to deploy various malware families like GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER for data theft. | CVE-2025-43520 (CVSS score: 8.8) - A memory corruption vulnerability in Apple's kernel component that could allow a malicious application to cause unexpected system termination or write kernel memory. (Fixed in December 2025)
CVE-2025-43510 (CVSS score: 7.8) - A memory corruption vulnerability in Apple's kernel component that could allow a malicious application to cause unexpected changes in memory shared between processes. (Fixed in December 2025) | ...an iOS exploit kit codenamed DarkSword that leverages these shortcomings, along with three bugs, to deploy various malware families like GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER for data theft.
CVE-2025-31277 (CVSS score: 8.8) - A vulnerability in Apple WebKit that could result in memory corruption when processing maliciously crafted web content. (Fixed in July 2025) | ...an iOS exploit kit codenamed DarkSword that leverages these shortcomings, along with three bugs, to deploy various malware families like GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER for data theft.
DarkSword is an exploit kit that targets iPhones running iOS versions 18.4 through 18.7... The kit leverages six vulnerabilities, CVE-2025-31277, CVE-2025-43529, CVE-2026-20700, CVE-2025-14174, CVE-2025-43510, and CVE-2025-43520.
DarkSword is an exploit kit that targets iPhones running iOS versions 18.4 through 18.7... The kit leverages six vulnerabilities, CVE-2025-31277, CVE-2025-43529, CVE-2026-20700, CVE-2025-14174, CVE-2025-43510, and CVE-2025-43520.
DarkSword is an exploit kit that targets iPhones running iOS versions 18.4 through 18.7... The kit leverages six vulnerabilities, CVE-2025-31277, CVE-2025-43529, CVE-2026-20700, CVE-2025-14174, CVE-2025-43510, and CVE-2025-43520.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Depending on the threat actor, a successful compromise deployed distinct malware families we track as GHOSTBLADE, GHOSTKNIFE, or GHOSTSABER.
Depending on the threat actor, a successful compromise deployed distinct malware families we track as GHOSTBLADE, GHOSTKNIFE, or GHOSTSABER.
Depending on the threat actor, a successful compromise deployed distinct malware families we track as GHOSTBLADE, GHOSTKNIFE, or GHOSTSABER.
Techniques & procedures
16 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
3 techniques...a sophisticated iOS full-chain exploit called DarkSword that delivered the GHOSTKNIFE, GHOSTSABER, and GHOSTBLADE payloads.
By chaining together six different zero-day vulnerabilities, these actors were able to fully compromise devices running iOS 18.4 through 18.7.
GHOSTKNIFE, deployed by threat cluster UNC6748 via a Snapchat-themed phishing site ( snapshare[.]chat )
Execution
3 techniquesGHOSTKNIFE: Intermediate payload enabling data collection and command execution
DarkSword takes a different approach: the entire chain is written in JavaScript. By staying in JavaScript for every stage, the attackers avoid binary mitigations such as Apple's Page Protection Layer (PPL) and Secure Page Table Monitor (SPTM).
CVE-2025-31277 ... A vulnerability in Apple WebKit that could result in memory corruption when processing maliciously crafted web content.
Privilege Escalation
2 techniquesDarkSword targets iOS 18.4–18.7, leveraging six vulnerabilities to achieve: Remote Code Execution (RCE) Sandbox Escape Kernel-Level Privilege Escalation
DarkSword targets iOS 18.4–18.7, leveraging six vulnerabilities to achieve: Remote Code Execution (RCE) Sandbox Escape Kernel-Level Privilege Escalation
Stealth
1 techniqueIt collects data quickly (within seconds to minutes) before removing itself from the target device.
Collection
4 techniquesGHOSTKNIFE: Intermediate payload enabling data collection and command execution
GHOSTKNIFE... capable of exfiltrating signed-in accounts, messages, browser data, location history, and audio recordings from the device’s microphone
The orchestrator injects a JavaScript engine into privileged iOS services such as App Access, Wi‑Fi, Springboard, Keychain, and iCloud, and then activates data-stealing modules... Browser history, Cookies
The orchestrator injects a JavaScript engine into privileged iOS services such as App Access, Wi‑Fi, Springboard, Keychain, and iCloud... Saved passwords... WhatsApp and Telegram databases... Cryptocurrency wallets
Command and Control
2 techniquesIt communicates with its command-and-control (C2) server [[URL_7219874f_16]] over a custom binary protocol encrypted with ECDH and AES
It communicates with its command-and-control (C2) server [[URL_7219874f_16]] over a custom binary protocol encrypted with ECDH and AES
Exfiltration
1 techniqueThese act as dataminers and backdoors, exfiltrating iMessages, cryptocurrency wallet data, location history, and saved WiFi passwords.
IOCs tracked for this family
3 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Other indicator types observed in public reporting.
Recent activity
15 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A final-stage malware family deployed after successful exploitation via DarkSword on iOS devices.
A payload delivered by the DarkSword iOS full-chain exploit in an active malware campaign.
A backdoor observed in attacks associated with the DarkSword exploit kit.
A backdoor deployed on victims' devices as part of attacks using the DarkSword exploit kit.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.