Skip to main content
Mallory
Back to malware
MalwareUsed by 5 actorsExploits 7 CVEs

GHOSTBLADE

GHOSTBLADE is a JavaScript-based iOS post-exploitation malware family associated with the DarkSword full-chain exploit kit. It is described as a highly aggressive infostealer/dataminer and, in some reporting, as an initial-stage implant used for device profiling and access validation after successful compromise. DarkSword has been observed since at least November 2025 targeting iOS devices running versions 18.4 through 18.7, and successful exploitation can deploy GHOSTBLADE, GHOSTKNIFE, or GHOSTSABER depending on the threat actor and campaign.

High-confidence reporting links GHOSTBLADE to data theft from compromised Apple devices. Reported collection targets include iMessages, Telegram and WhatsApp data, email, calls, contacts, cryptocurrency wallet data, Safari history and cookies, photos, Health databases, device keychains, location history, system and connectivity information, and saved Wi-Fi passwords. Multiple sources also state that DarkSword-delivered malware families, including GHOSTBLADE, exfiltrate data such as iMessages, cryptocurrency wallet data, location history, and saved Wi-Fi passwords. One report notes debugging code in GHOSTBLADE related to Wi-Fi credential targeting and kernel-memory hexdumping.

GHOSTBLADE has been associated with several Russia-linked operations. It is attributed in the content to suspected Russian espionage actor UNC6353, which reportedly used DarkSword in watering-hole campaigns against Ukrainian targets. Proofpoint and Malfors also reported that COLDRIVER/TA446 used the DarkSword kit to deliver GHOSTBLADE in spear-phishing campaigns, including fake Atlantic Council "discussion invitation" emails, targeting government, think tank, higher education, financial, and legal entities. The broader DarkSword ecosystem has also been observed in campaigns affecting targets in Saudi Arabia, Turkey, Malaysia, and Ukraine.

The infection vector for GHOSTBLADE is the DarkSword exploit chain, including watering-hole compromises of legitimate websites and targeted phishing-linked delivery to vulnerable iPhone users. After full compromise, DarkSword drops one of its JavaScript malware families onto the victim device. Analysis cited in the content assesses that GHOSTBLADE was likely developed by the DarkSword developers based on coding-style consistency and tight integration with shared library code.

Known malware-family context and identifiers from the content include the name GHOSTBLADE/GhostBlade and its role as one of three DarkSword payload families alongside GHOSTKNIFE and GHOSTSABER. Reported related infrastructure and campaign artifacts are tied primarily to DarkSword operations rather than uniquely to GHOSTBLADE itself.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
EXPLOITED CVES

Vulnerabilities exploited

7 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

7 CVES
CVE-2026-32183Command Injection in Windows Snipping ToolExploited in the wild

Additionally, two vulnerabilities and a multi-component exploit kit were directly connected to active malware campaigns, including a sophisticated iOS full-chain exploit called DarkSword that delivered the GHOSTKNIFE, GHOSTSABER, and GHOSTBLADE payloads... 28 CVE-2026-32183 99 Apple iOS / iPadOS (DarkSword Chain) CWE-119 – Memory Corruption No | Additionally, two vulnerabilities and a multi-component exploit kit were directly connected to active malware campaigns, including a sophisticated iOS full-chain exploit called DarkSword that delivered the GHOSTKNIFE, GHOSTSABER, and GHOSTBLADE payloads.

via cyber security newscybersecuritynews.com
CVE-2025-43520Apple XNU VFS kernel race condition privilege escalationExploited in the wild

CVE-2025-43520 (CVSS score: 8.8) - A memory corruption vulnerability in Apple's kernel component that could allow a malicious application to cause unexpected system termination or write kernel memory. (Fixed in December 2025) | ...an iOS exploit kit codenamed DarkSword that leverages these shortcomings, along with three bugs, to deploy various malware families like GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER for data theft.

via the hacker newsthehackernews.com
CVE-2025-43510Improper locking copy-on-write memory corruption in Apple XNU kernelExploited in the wild

...an iOS exploit kit codenamed DarkSword that leverages these shortcomings, along with three bugs, to deploy various malware families like GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER for data theft. | CVE-2025-43510 (CVSS score: 7.8) - A memory corruption vulnerability in Apple's kernel component that could allow a malicious application to cause unexpected changes in memory shared between processes. (Fixed in December 2025)

via the hacker newsthehackernews.com
CVE-2025-31277Memory corruption in Apple WebKit/JavaScriptCore web content processingExploited in the wild

CVE-2025-31277 (CVSS score: 8.8) - A vulnerability in Apple WebKit that could result in memory corruption when processing maliciously crafted web content. (Fixed in July 2025) | ...an iOS exploit kit codenamed DarkSword that leverages these shortcomings, along with three bugs, to deploy various malware families like GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER for data theft.

via the hacker newsthehackernews.com
CVE-2025-14174Out-of-bounds memory access in ANGLE in Google Chrome on MacExploited in the wild

DarkSword is an exploit kit that targets iPhones running iOS versions 18.4 through 18.7... The kit leverages six vulnerabilities, CVE-2025-31277, CVE-2025-43529, CVE-2026-20700, CVE-2025-14174, CVE-2025-43510, and CVE-2025-43520.

via ghacksghacks.net
CVE-2025-43529Use-after-free in Apple JavaScriptCore/WebKit leading to arbitrary code executionExploited in the wild

DarkSword is an exploit kit that targets iPhones running iOS versions 18.4 through 18.7... The kit leverages six vulnerabilities, CVE-2025-31277, CVE-2025-43529, CVE-2026-20700, CVE-2025-14174, CVE-2025-43510, and CVE-2025-43520.

via ghacksghacks.net
CVE-2026-20700Apple dyld user-mode PAC bypass and memory corruptionExploited in the wild

DarkSword is an exploit kit that targets iPhones running iOS versions 18.4 through 18.7... The kit leverages six vulnerabilities, CVE-2025-31277, CVE-2025-43529, CVE-2026-20700, CVE-2025-14174, CVE-2025-43510, and CVE-2025-43520.

via ghacksghacks.net
THREAT ACTORS

Groups observed using it

5 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
UNC6748

Depending on the threat actor, a successful compromise deployed distinct malware families we track as GHOSTBLADE, GHOSTKNIFE, or GHOSTSABER.

via austin larsen blogaustinlarsen.me
PARS Defense

Depending on the threat actor, a successful compromise deployed distinct malware families we track as GHOSTBLADE, GHOSTKNIFE, or GHOSTSABER.

via austin larsen blogaustinlarsen.me
UNC6353

Depending on the threat actor, a successful compromise deployed distinct malware families we track as GHOSTBLADE, GHOSTKNIFE, or GHOSTSABER.

via austin larsen blogaustinlarsen.me
Star Blizzard

Proofpoint and Malfors also revealed that another Russia-linked threat actor known as COLDRIVER (aka TA446) has exploited the DarkSword kit to deliver the GHOSTBLADE data stealer malware in attacks targeting government, think tank, higher education, financial, and legal entities.

via the hacker newsthehackernews.com
DarkSword

Artifacts left behind from the Webpack process applied to the analyzed GHOSTBLADE sample included file paths that show the structure on disk of these libraries (Figure 22). We assess that GHOSTBLADE was likely developed by the DarkSword developers, based on the consistency in coding styles and the tight integration between it and the library code, which is notably distinct from how GHOSTKNIFE and GHOSTSABER leveraged these libraries.

via mandiant threat intelligencecloud.google.com
MITRE ATT&CK

Techniques & procedures

13 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

3 techniques
T1189Drive-by CompromiseEvidence10
TacticInitial Access

...a sophisticated iOS full-chain exploit called DarkSword that delivered the GHOSTKNIFE, GHOSTSABER, and GHOSTBLADE payloads.

T1190Exploit Public-Facing ApplicationEvidence6
TacticInitial Access

By chaining together six different zero-day vulnerabilities, these actors were able to fully compromise devices running iOS 18.4 through 18.7.

T1566PhishingEvidence1
TacticInitial Access

The hacking group is known for spear-phishing campaigns aimed at harvesting credentials from targets of interest. The latest activity involves using fake "discussion invitation" emails spoofing the Atlantic Council...

Execution

2 techniques
T1059.007JavaScriptEvidence5
TacticExecution

Researchers have observed three malware families associated with DarkSword attacks. These include GhostBlade, an aggressive JavaScript-based infostealer; GhostKnife, a backdoor; and GhostSaber, a JavaScript malware capable of executing code and stealing data.

T1203Exploitation for Client ExecutionEvidence5
TacticExecution

CVE-2025-31277 ... A vulnerability in Apple WebKit that could result in memory corruption when processing maliciously crafted web content.

Privilege Escalation

2 techniques
T1068Exploitation for Privilege EscalationEvidence4
TacticPrivilege Escalation

DarkSword targets iOS 18.4–18.7, leveraging six vulnerabilities to achieve: Remote Code Execution (RCE) Sandbox Escape Kernel-Level Privilege Escalation

T1611Escape to HostEvidence3
TacticPrivilege Escalation

DarkSword targets iOS 18.4–18.7, leveraging six vulnerabilities to achieve: Remote Code Execution (RCE) Sandbox Escape Kernel-Level Privilege Escalation

Stealth

1 technique
T1070Indicator RemovalEvidence1
TacticStealth

It collects data quickly (within seconds to minutes) before removing itself from the target device.

Discovery

1 technique
T1518Software DiscoveryEvidence1
TacticDiscovery

functions as a comprehensive data miner exfiltrating iMessages, Telegram, and WhatsApp data, cryptocurrency wallet data

Collection

3 techniques
T1005Data from Local SystemEvidence7
TacticCollection

Researchers have observed three malware families associated with DarkSword attacks. These include GhostBlade, an aggressive JavaScript-based infostealer; GhostKnife, a backdoor; and GhostSaber, a JavaScript malware capable of executing code and stealing data.

T1185Browser Session HijackingEvidence1
TacticCollection

The orchestrator injects a JavaScript engine into privileged iOS services such as App Access, Wi‑Fi, Springboard, Keychain, and iCloud, and then activates data-stealing modules... Browser history, Cookies

T1213Data from Information RepositoriesEvidence2
TacticCollection

The latest activity... facilitate[s] the delivery of GHOSTBLADE, a dataminer malware... It's suspected that the TA446 is repurposing the DarkSword exploit kit for credential harvesting and intelligence collection.

Exfiltration

1 technique
T1041Exfiltration Over C2 ChannelEvidence4
TacticExfiltration

These act as dataminers and backdoors, exfiltrating iMessages, cryptocurrency wallet data, location history, and saved WiFi passwords.

INDICATORS OF COMPROMISE

IOCs tracked for this family

4 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
3 tracked

IPs, domains, and DNS infrastructure linked to this family.

Other
1 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting
domain●●●●●●●●●●●●View more in app24 days ago
domain●●●●●●●●●●●●View more in app2 months ago
domain●●●●●●●●●●●●View more in app3 months ago
uri●●●●●●●●●●●●View more in app3 months ago
ACTIVITY FEED

Recent activity

18 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

18 SOURCESView more in app
schneier on securityNews
May 5, 2026
DarkSword Malware - Schneier on Security

A final-stage malware family deployed after successful exploitation via DarkSword on iOS devices.

Read more
cyber security newsNews
Apr 16, 2026
31 High-Impact Vulnerabilities Exploited in March as Interlock Hits Cisco FMC Zero-Day

A payload delivered by the DarkSword iOS full-chain exploit in an active malware campaign.

Read more
the hacker newsNews
Apr 2, 2026
Apple Expands iOS 18.7.7 Update to More Devices to Block DarkSword Exploit

A data stealer malware delivered via the DarkSword exploit kit in attacks attributed to COLDRIVER, used to steal user data from targeted organizations.

Read more
ghacksNews
Apr 2, 2026
Apple Releases iOS 18.7.7 Update to Extend DarkSword Exploit Protection to More iPhones and iPads - gHacks Tech News

A JavaScript-based infostealer used in attacks associated with the DarkSword exploit kit.

Read more
+13 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching4

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution5

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities7

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping13

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.