DarkSword hacks millions of iPhones

🔑 Enhanced Key Takeaways

• •DarkSword exploits six vulnerabilities in iOS 18.4 to 18.6.2, including three zero-days in Safari, WebGPU, and the iOS kernel (CVE-2025-43520), enabling full device compromise via a malicious website.[1][2][3]
• •It employs a 'hit-and-run' fileless technique, hijacking legitimate system processes like WebContent, GPU process, and mediaplaybackd to exfiltrate data such as crypto wallets, iMessage, WhatsApp, and Apple Health records within minutes before self-cleaning.[1][2][5]
• •Discovered by Lookout, Google, and iVerify through analysis of UNC6353 infrastructure; the modular JavaScript-based kit supports rapid development and was ported from iOS 17 exploits, with C2 servers using ECDH/AES-encrypted HTTP.[2][3][5]

🛠️ Technical Deep Dive

• •Initiates with malicious iFrame on compromised sites loading JavaScript to fingerprint devices and deliver exploits targeting Safari/WebGPU for sandbox escape.
• •Uses out-of-bounds write in ANGLE (GPU process) and Pointer Authentication Codes (PAC) bypass for arbitrary read/write and function call primitives.
• •Escalates via Copy-On-Write vulnerability in AppleM2ScalerCSCDriver (XNU kernel) to mediaplaybackd daemon through XPC interfaces.
• •Exfiltrates from specific paths like /private/var/mobile/Library/SMS/sms.db (iMessage), WhatsApp databases (e.g., ChatStorage.sqlite), and Telegram AppGroup containers.
• •Employs custom binary protocol over HTTP with ECDH and AES encryption for C2 communication; cleanup erases staged files post-exfiltration.

🔮 Future ImplicationsAI analysis grounded in cited sources

⏳ Timeline