Inside DarkSword: A New iOS Exploit Kit Delivered Via Compromised Legitimate Websites

DarkSword is a sophisticated waterhole campaign that delivered a one-click iOS exploit chain via compromised Ukrainian websites and an Estonia-hosted asset server. The chain abuses multiple JavaScriptCore JIT bugs, GPU/ANGLE vulnerabilities, and a kernel Copy-On-Write flaw to achieve remote code execution, sandbox escape, and kernel privilege escalation, then injects in-memory JavaScript implants into system processes to exfiltrate keychains, Wi‑Fi credentials, messaging, wallet files and other sensitive data. The report includes detailed implant code excerpts, file/network IOCs (e.g., static.cdncounter.net, sqwas.shapelie.com, novosti.dn.ua, 7aac.gov.ua), forensic indicators (logs, crashes, filesystem artifacts), affected iOS versions (18.4–18.6.2 primarily) and remediation guidance to update to patched iOS releases.