DarkSword is a JavaScript-based full-chain iOS exploit kit targeting iPhones running iOS 18.4 through 18.7. It chains six vulnerabilities, three of which were zero-days, to achieve full device compromise. It was disclosed on March 18, 2026 by Lookout, Google GTIG, and iVerify in a coordinated publication.

Did DarkSword use AI or LLM-generated code?

Lookout identified indicators suggesting LLM assistance was used in the creation of at least some of DarkSword's implant code. The specific indicators include emoji markers in code headings, numerous explanatory comments, log messages, and unobfuscated JavaScript. Lookout uses qualifying language such as 'suggests' and 'appears probable,' and notes that the code may have been added before the operator acquired the toolkit. Google GTIG and iVerify did not make any LLM claims in their published reports.

Is DarkSword the first malware to use LLM-assisted code?

No. Prior documented cases include PROMPTSTEAL, PROMPTFLUX, and samples analyzed by Netskope and Palo Alto Unit 42. However, all prior cases were either experimental, desktop-only, limited in scale, or assessed as operationally ineffective. DarkSword is the first documented case where researchers identified LLM-assistance indicators in a mass-deployed, professional-grade mobile exploit kit affecting potentially hundreds of millions of devices.

How many devices are affected by DarkSword?

iVerify estimated that approximately 14.2% of active iPhones (around 221 million devices) running iOS 18.4 through 18.6.2 are vulnerable. If all iOS 18 versions are considered, the figure rises to approximately 270 million devices. These figures measure the blast radius of the exploit chain itself, not the LLM-assisted customization specifically.

Who is behind DarkSword?

Google GTIG identified three distinct threat actor groups using DarkSword: UNC6353 (suspected Russian, targeting Ukraine), UNC6748 (targeting Saudi Arabia), and PARS Defense (a Turkish commercial surveillance vendor, targeting Turkey and Malaysia). The developer of DarkSword appears to be a separate entity from these operators.

What CVEs does DarkSword exploit?

DarkSword chains six CVEs: CVE-2025-31277 and CVE-2025-43529 (JavaScriptCore memory corruption), CVE-2026-20700 (dyld PAC bypass), CVE-2025-14174 (ANGLE memory corruption), CVE-2025-43510 (kernel memory management), and CVE-2025-43520 (kernel memory corruption). Three of these were zero-days when first deployed.

How do I protect my iPhone from DarkSword?

Update to iOS 26.3.1 (latest) or iOS 18.7.6 at minimum. All six vulnerabilities exploited by DarkSword have been patched. High-risk users should enable Lockdown Mode. iVerify is offering its iVerify Basic app for free until May 2026 with DarkSword threat hunting capability.

What is the connection between DarkSword and Coruna?

DarkSword was discovered by Lookout while investigating Coruna's infrastructure. Both exploit kits were deployed by UNC6353 against Ukrainian targets and share command-and-control infrastructure. However, Rocky Cole of iVerify stated that DarkSword is 'an entirely separate kit made by entirely separate people.' CyberScoop and BleepingComputer reported that Lookout observed LLM usage in both kits.

Is the evidence that DarkSword used LLMs conclusive?

No. The evidence is circumstantial. Lookout identified indicators consistent with LLM-generated output: emoji markers, explanatory comments, unobfuscated code, and pattern analysis. These indicators are also consistent with code written by a junior developer or code that was not cleaned before deployment. Lookout explicitly offers an alternative explanation: the LLM-patterned code may have been added by the developer before the operator acquired the toolkit. No code fingerprinting, model attribution, or prompt artifact analysis has been published.

One post tagged with "Exploit Chain"

DarkSword and the LLM Question: What Every Outlet Mentioned but Nobody Wrote About

March 20, 2026 · 24 min read

Dhayabaran V

Barrack AI

On March 18, 2026, Lookout, Google's Threat Intelligence Group (GTIG), and iVerify published coordinated research disclosing DarkSword, a full-chain iOS exploit kit targeting iPhones running iOS 18.4 through 18.7. Within 48 hours, every major cybersecurity outlet covered the story. They covered the six CVEs, the three zero-days, the exploit chain walkthrough, the 270 million affected devices, the threat actor attribution, and the Coruna connection. But buried inside nearly every article was a finding that none of them turned into its own piece: indicators of LLM-assisted code inside a mass-deployed iOS exploit kit.