Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to malware
MalwareUsed by 3 actorsExploits 7 CVEs

GHOSTSABER

GhostSaber is a JavaScript-based backdoor/implant associated with the DarkSword iOS full-chain exploit framework. Following successful DarkSword compromise of iPhones running affected iOS 18.4 through 18.7 versions, GhostSaber was deployed as one of three post-exploitation malware families alongside GhostBlade and GhostKnife. High-confidence reporting describes GhostSaber as capable of executing JavaScript code and stealing victim data, and as an advanced implant supporting persistent surveillance and data exfiltration. Reported functionality includes device and account enumeration, file listing, file exfiltration, arbitrary SQLite query execution, photo thumbnail uploads, and support for more than 15 distinct C2 commands. Across DarkSword-related reporting, the associated malware families are described as exfiltrating data such as iMessages, cryptocurrency wallet data, location history, and saved Wi-Fi passwords. GhostSaber has been linked to campaigns using DarkSword conducted by the Turkish commercial surveillance vendor PARS Defense, including targeting in Turkey and Malaysia. It is delivered post-compromise rather than as an initial infection vector; the initial access is provided by the DarkSword exploit chain, which has been observed in targeted campaigns by commercial surveillance vendors and suspected state-sponsored actors.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
EXPLOITED CVES

Vulnerabilities exploited

7 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

7 CVES
CVE-2026-32183Command Injection in Windows Snipping ToolExploited in the wild

Additionally, two vulnerabilities and a multi-component exploit kit were directly connected to active malware campaigns, including a sophisticated iOS full-chain exploit called DarkSword that delivered the GHOSTKNIFE, GHOSTSABER, and GHOSTBLADE payloads. | Additionally, two vulnerabilities and a multi-component exploit kit were directly connected to active malware campaigns, including a sophisticated iOS full-chain exploit called DarkSword that delivered the GHOSTKNIFE, GHOSTSABER, and GHOSTBLADE payloads... 28 CVE-2026-32183 99 Apple iOS / iPadOS (DarkSword Chain) CWE-119 – Memory Corruption No

via cyber security newscybersecuritynews.com
CVE-2025-31277Memory corruption in Apple WebKit/JavaScriptCore web content processingExploited in the wild

...an iOS exploit kit codenamed DarkSword that leverages these shortcomings, along with three bugs, to deploy various malware families like GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER for data theft. | CVE-2025-31277 (CVSS score: 8.8) - A vulnerability in Apple WebKit that could result in memory corruption when processing maliciously crafted web content. (Fixed in July 2025)

via the hacker newsthehackernews.com
CVE-2025-43510Improper locking copy-on-write memory corruption in Apple XNU kernelExploited in the wild

...an iOS exploit kit codenamed DarkSword that leverages these shortcomings, along with three bugs, to deploy various malware families like GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER for data theft. | CVE-2025-43510 (CVSS score: 7.8) - A memory corruption vulnerability in Apple's kernel component that could allow a malicious application to cause unexpected changes in memory shared between processes. (Fixed in December 2025)

via the hacker newsthehackernews.com
CVE-2025-43520Apple XNU VFS kernel race condition privilege escalationExploited in the wild

CVE-2025-43520 (CVSS score: 8.8) - A memory corruption vulnerability in Apple's kernel component that could allow a malicious application to cause unexpected system termination or write kernel memory. (Fixed in December 2025) | ...an iOS exploit kit codenamed DarkSword that leverages these shortcomings, along with three bugs, to deploy various malware families like GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER for data theft.

via the hacker newsthehackernews.com
CVE-2025-43529Use-after-free in Apple JavaScriptCore/WebKit leading to arbitrary code executionExploited in the wild

DarkSword is an exploit kit that targets iPhones running iOS versions 18.4 through 18.7... The kit leverages six vulnerabilities, CVE-2025-31277, CVE-2025-43529, CVE-2026-20700, CVE-2025-14174, CVE-2025-43510, and CVE-2025-43520.

via ghacksghacks.net
CVE-2025-14174Out-of-bounds memory access in ANGLE in Google Chrome on MacExploited in the wild

DarkSword is an exploit kit that targets iPhones running iOS versions 18.4 through 18.7... The kit leverages six vulnerabilities, CVE-2025-31277, CVE-2025-43529, CVE-2026-20700, CVE-2025-14174, CVE-2025-43510, and CVE-2025-43520.

via ghacksghacks.net
CVE-2026-20700Apple dyld user-mode PAC bypass and memory corruptionExploited in the wild

DarkSword is an exploit kit that targets iPhones running iOS versions 18.4 through 18.7... The kit leverages six vulnerabilities, CVE-2025-31277, CVE-2025-43529, CVE-2026-20700, CVE-2025-14174, CVE-2025-43510, and CVE-2025-43520.

via ghacksghacks.net
THREAT ACTORS

Groups observed using it

3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
PARS Defense

Depending on the threat actor, a successful compromise deployed distinct malware families we track as GHOSTBLADE, GHOSTKNIFE, or GHOSTSABER.

via austin larsen blogaustinlarsen.me
UNC6353

Depending on the threat actor, a successful compromise deployed distinct malware families we track as GHOSTBLADE, GHOSTKNIFE, or GHOSTSABER.

via austin larsen blogaustinlarsen.me
UNC6748

Depending on the threat actor, a successful compromise deployed distinct malware families we track as GHOSTBLADE, GHOSTKNIFE, or GHOSTSABER.

via austin larsen blogaustinlarsen.me
MITRE ATT&CK

Techniques & procedures

14 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

2 techniques
T1189Drive-by CompromiseEvidence6

...a sophisticated iOS full-chain exploit called DarkSword that delivered the GHOSTKNIFE, GHOSTSABER, and GHOSTBLADE payloads.

T1190Exploit Public-Facing ApplicationEvidence5

By chaining together six different zero-day vulnerabilities, these actors were able to fully compromise devices running iOS 18.4 through 18.7.

Execution

2 techniques
T1059.007JavaScriptEvidence7

Researchers have observed three malware families associated with DarkSword attacks. These include GhostBlade, an aggressive JavaScript-based infostealer; GhostKnife, a backdoor; and GhostSaber, a JavaScript malware capable of executing code and stealing data.

T1203Exploitation for Client ExecutionEvidence5

CVE-2025-31277 ... A vulnerability in Apple WebKit that could result in memory corruption when processing maliciously crafted web content.

Privilege Escalation

2 techniques
T1068Exploitation for Privilege EscalationEvidence4

DarkSword targets iOS 18.4–18.7, leveraging six vulnerabilities to achieve: Remote Code Execution (RCE) Sandbox Escape Kernel-Level Privilege Escalation

T1611Escape to HostEvidence3

DarkSword targets iOS 18.4–18.7, leveraging six vulnerabilities to achieve: Remote Code Execution (RCE) Sandbox Escape Kernel-Level Privilege Escalation

Stealth

2 techniques
T1027Obfuscated Files or InformationEvidence1

this campaign was carried out with more attention to OPSEC, with obfuscation applied to the exploit loader and some of the exploit stages, and the use of ECDH and AES to encrypt exploits between the server and the victim

T1070Indicator RemovalEvidence2

It collects data quickly (within seconds to minutes) before removing itself from the target device.

Discovery

1 technique
T1083File and Directory DiscoveryEvidence1

supports over 15 distinct C2 commands, including device enumeration, file exfiltration

Collection

3 techniques
T1005Data from Local SystemEvidence7

Researchers have observed three malware families associated with DarkSword attacks. These include GhostBlade, an aggressive JavaScript-based infostealer; GhostKnife, a backdoor; and GhostSaber, a JavaScript malware capable of executing code and stealing data.

T1123Audio CaptureEvidence1

GHOSTKNIFE... capable of exfiltrating signed-in accounts, messages, browser data, location history, and audio recordings from the device’s microphone

T1213Data from Information RepositoriesEvidence1

The orchestrator injects a JavaScript engine into privileged iOS services such as App Access, Wi‑Fi, Springboard, Keychain, and iCloud... Saved passwords... WhatsApp and Telegram databases... Cryptocurrency wallets

Command and Control

1 technique
T1573Encrypted ChannelEvidence2

It communicates with its command-and-control (C2) server [[URL_7219874f_16]] over a custom binary protocol encrypted with ECDH and AES

Exfiltration

1 technique
T1041Exfiltration Over C2 ChannelEvidence5

GHOSTSABER: Advanced implant supporting persistent surveillance and data exfiltration

INDICATORS OF COMPROMISE

IOCs tracked for this family

3 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
2 tracked

IPs, domains, and DNS infrastructure linked to this family.

Other
1 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting
domain●●●●●●●●●●●●View more in app3 months ago
domain●●●●●●●●●●●●View more in app3 months ago
uri●●●●●●●●●●●●View more in app3 months ago
ACTIVITY FEED

Recent activity

15 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

15 SOURCESView more in app
schneier on securityNews
May 5, 2026
DarkSword Malware - Schneier on Security

A final-stage malware family deployed after successful exploitation via DarkSword on iOS devices.

Read more
cyber security newsNews
Apr 16, 2026
31 High-Impact Vulnerabilities Exploited in March as Interlock Hits Cisco FMC Zero-Day

A payload delivered by the DarkSword iOS full-chain exploit in an active malware campaign.

Read more
ghacksNews
Apr 2, 2026
Apple Releases iOS 18.7.7 Update to Extend DarkSword Exploit Protection to More iPhones and iPads - gHacks Tech News

A JavaScript malware family capable of executing code and stealing data, observed in attacks associated with the DarkSword exploit kit.

Read more
bleeping computerNews
Apr 1, 2026
Apple expands iOS 18 updates to more iPhones to block DarkSword attacks

JavaScript malware capable of executing code and stealing data on compromised iPhones.

Read more
+10 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching3

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution3

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities7

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping14

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.