DarkSword iOS Exploit Kit Uses 6 Flaws, 3 Zero-Days for Full Device Takeover

In November 2025, the security of iPhone and iPad users entered a new phase of threat. Research teams from Google Threat Intelligence Group, iVerify, and Lookout revealed the existence of DarkSword — a set of exploits capable of complete takeover of iOS devices by exploiting six security vulnerabilities, three of which are previously unknown zero-day vulnerabilities. This discovery is not just another alarm among cybersecurity specialists. It testifies to the fact that Apple's ecosystem, considered by many to be a bastion of security, has become the target of interest for both commercial surveillance software providers and actors linked to state structures. The problem is more serious than it might seem — DarkSword is not a tool left in the shadows, but an actively used arsenal that is changing the way we think about data protection on mobile devices.

For Polish users, especially those working in the public, financial, or intellectual sectors, this news should set off a red flag. An iPhone may be considered secure, but only until someone with the appropriate set of tools decides to attack it. DarkSword is exactly such a set — and according to reports, it is already in the hands of those who do not hesitate to use it.

Six vulnerabilities, three unknown worlds — anatomy of a full-chain attack

Before we move on to technical details, it's worth understanding what the term "full-chain exploit" means. It is not a single vulnerability that can be patched with one update. It is a series of precisely coordinated attacks, each exploiting a different vulnerability, each representing another milestone on the path to complete device takeover. DarkSword uses exactly six such vulnerabilities, and three of them were previously completely unknown to Apple and the security community.

Zero-day vulnerabilities are the really dangerous ones. The manufacturer doesn't know about them, there is no patch for them, and the attacker can use them practically without limitations. Three such vulnerabilities in one exploit set is a situation that shouldn't happen. Each of them allows progression to the next stage of the attack. The first can be used for privilege escalation, the second for sandbox escape, the third for gaining access to the most protected parts of the system. Together they create a path that is almost impossible to stop without knowledge of the vulnerabilities themselves.

According to the GTIG report, the remaining three vulnerabilities in DarkSword are vulnerabilities that were already known, but never coordinated in this way. This shows that the creators of this exploit set not only have access to new vulnerabilities, but also have deep knowledge of iOS architecture and the ways in which individual system components can be chained together for exploitation. This is not the work of a hobbyist — it is professional work by a team with access to resources that only a few organizations in the world possess.

From commercial surveillance vendors to state actors — the threat ecosystem

One of the most alarming aspects of the DarkSword report is the fact that the exploit set is being used by multiple different threat actors. We are not dealing with a single group of cybercriminals or one country. Instead, we see an ecosystem in which digital weapons traders sell access to advanced attack tools, and those who buy them are both surveillance companies and structures linked to governments.

Commercial surveillance software vendors are companies like NSO Group (known for Pegasus) and Candiru. Their products are sold to governments and security agencies under the guise of fighting terrorism and crime. In practice, these tools are often used to monitor journalists, activists, opposition politicians, and ordinary citizens. The fact that they now have access to DarkSword means their capabilities have been dramatically expanded. Instead of waiting for zero-days or investing in their development, they can simply buy access to a ready-made exploit set.

Even more concerning are "suspected actors linked to state structures." This is a diplomatic way of saying that governments of various countries — regardless of which — may be using DarkSword to surveil their own citizens, diplomats of other countries, or business competitors. Poland, as a member of the European Union and NATO, is particularly interesting to such actors. Polish politicians, officials, businessmen, and scientists may be targets of such attacks.

How DarkSword takes over your device — step by step

To understand the scale of the threat, it's worth going through how DarkSword actually works. The attack usually begins with a delivery vector — the way the exploit reaches the device. This could be a malicious link in an SMS message, an email with an attachment, or even a vulnerability in an application that the user already has installed. Apple tries to make this difficult through sandboxing, but DarkSword has an answer for that.

The first of the three zero-day vulnerabilities is used for privilege escalation. The iOS system, like all modern operating systems, has a privilege layer — applications run with limited privileges so they can't do too much damage. DarkSword pierces this layer, allowing code to run with kernel privileges. This is the point where the attacker stops being limited to the application sandbox.

The second zero-day vulnerability is a sandbox escape — an escape from the isolated environment in which applications normally run. Even if an application is infected, it should be restricted to its own resources. DarkSword pierces this barrier, allowing direct access to the file system, data from other applications, and sensitive system information. This is the moment when the attacker gains access to SMS messages, emails, browser history, photos, and any other data stored on the device.

The third zero-day vulnerability is used for persistence — maintaining access. DarkSword installs itself in deep layers of the system where a normal user cannot find or remove it. Even if the device is reset, the exploit can survive. This means that once an infected device is infected, it is practically always infected until Apple releases an update that fixes all three zero-day vulnerabilities.

The third zero-day vulnerability — the one no one sees

The third of the three zero-day vulnerabilities is particularly clever. While the first two are used to take control of the device, the third is used for avoiding detection. iOS has built-in security mechanisms that monitor suspicious activity. DarkSword uses the third vulnerability to disable these mechanisms or hide its activity from them. This means that even if the device has threat protection software installed, DarkSword can operate practically unnoticed.

For the user, this means there are no visible signs of infection. The battery may drain faster, but that can be attributed to other factors. The device may sometimes be slower, but that can be attributed to the age of the device. Everything looks normal, while in the background the attacker has full access to all data on the device. They can read SMS messages, listen to calls, track location, access banking applications, all without the user's knowledge.

Poland in the orbit of threat — why this concerns us

Poland is not a country that is typically mentioned in the front line of cybersecurity threats, but that doesn't mean we are safe. Quite the opposite. Poland has a rich history of being the target of interest of threat actors from Russia, China, and other countries. Additionally, the Polish economy, particularly the technology and financial sectors, is an attractive target for commercial surveillance software vendors.

Polish politicians and officials may be targets of interest to foreign governments seeking insight into Polish political decisions. Polish businessmen may be targets of competitors seeking access to trade secrets. Polish scientists working in sensitive areas may be targets of governments interested in acquiring research. And ordinary Polish citizens may be targets of criminals seeking access to their banking data or identity.

Given that DarkSword has been actively used since November 2025, it is very likely that Poles have already fallen victim to this attack. Perhaps we don't know about it, but our data may already be in the hands of attackers. This is not paranoia — it is a realistic assessment of the situation based on available information.

Apple updates — is this enough?

Apple typically responds quickly to security vulnerability discoveries, but in the case of DarkSword, the situation is more complicated. Apple must not only fix the three zero-day vulnerabilities, but also the remaining three vulnerabilities. This requires coordination between different teams, testing to ensure the patch doesn't cause other problems, and finally distribution to billions of devices worldwide.

In the meantime, devices remain vulnerable. Apple typically releases security updates monthly, but sometimes waits longer, especially if the vulnerability is already being actively exploited. In the case of DarkSword, Apple had motivation to act quickly, but even if it released an update quickly, millions of users won't update their devices immediately. Some will never update them, leaving themselves vulnerable to attacks.

For users in Poland, this means they should update their iOS devices to the latest version as soon as possible. There is no middle ground here — if you don't have the latest update, you may be vulnerable to DarkSword. Additionally, they should be careful about what applications they install, what links they click in SMS messages and emails, and what data they share with applications.

Mobile security — crisis of trust or natural evolution?

The discovery of DarkSword raises a fundamental question about the security of mobile devices. For years, Apple promoted the iPhone as a secure device that doesn't need antivirus or complicated security tools. "It just works" — was the promise. But DarkSword shows that this promise has limitations. Even the best-designed system can be pierced by sufficiently advanced attackers.

This doesn't mean that iPhone is less secure than Android — Android has its own security problems. It means that mobile security is more complicated than it might seem. No operating system is completely secure. There will always be vulnerabilities, there will always be ways to circumvent them, there will always be threat actors who will try to exploit them.

For the mobile security industry, DarkSword is both a challenge and an opportunity. A challenge because it shows that traditional security approaches — based on isolation and sandboxing — can be pierced. An opportunity because it inspires the development of new security approaches that may be more resistant to advanced attacks. In Poland, where the cybersecurity sector is still developing, this could be a turning point for innovation in mobile security.

Practical steps for users — what to do now

If you own an iPhone or iPad, here's what you should do immediately. First, update your device to the latest iOS version. Go to Settings > General > Software Update and check if an update is available. If so, install it immediately. This is the most important step you can take.

Second, be careful about what you click on. DarkSword usually reaches devices through malicious links or attachments. If you receive an SMS or email from someone you don't know, or from someone asking you to click on a link, don't do it. If a link looks suspicious — even if it comes from someone you know — verify it before clicking. Cybercriminals are clever and can forge email addresses or phone numbers.

Third, enable two-factor authentication on all your important accounts — email, social media, online banking. Even if an attacker gains access to your device, they will have a harder time accessing your accounts without a second authentication factor.

Fourth, consider using a VPN when you're on public WiFi networks. A VPN won't protect you from DarkSword, but it will protect you from other threats that may exist on public networks. Additionally, if you're in Poland and want to protect your privacy from local monitoring, a VPN may be useful.

Finally, be aware that no system is completely secure. Even if you take all these steps, you can still be attacked. This is not your fault — it is the reality of cybersecurity in 2025. But you can reduce the risk by being careful, updating your devices, and educating yourself about threats.

The future of security — can we win this war?

DarkSword is a symptom of a deeper problem in cybersecurity. Zero-day vulnerabilities will always exist. Attackers will always have a time advantage — they know about the vulnerability before the manufacturer, and certainly before the user. The only way to reduce risk is to change the way we think about security.

Instead of relying on the system being completely secure, we should assume it will be attacked and plan for that possibility. This means better detection — the ability to quickly detect when a device has been attacked. This means better resilience — the ability to function even when parts of the system have been attacked. This means better education — teaching users about threats and ways to avoid them.

In Poland, this could mean investments in mobile security research, supporting cybersecurity startups, and educating society about cyber threats. It could also mean a more decisive stance against surveillance software vendors that could be used to violate human rights. But these are bigger questions for politicians and business leaders — at the user level, the best we can do is be careful and update our devices.