The Proliferation of DarkSword: iOS Exploit Chain Adopted by Multiple Threat Actors

This report details a sophisticated, multi-stage iOS exploit chain attributed to the DarkSword developers and the GHOSTBLADE payload: JavaScriptCore JIT and garbage-collection RCEs (CVE-2025-31277, CVE-2025-43529) are chained to a dyld PAC bypass (CVE-2026-20700), followed by sandbox escapes through ANGLE and XNU bugs (CVE-2025-14174, CVE-2025-43510) and a kernel VFS race (CVE-2025-43520) for local privilege escalation and post-exploitation; the report enumerates exploit filenames, libraries, and artifacts and notes patches deployed after GTIG/Apple reporting.