The Proliferation of DarkSword iOS Exploit Chain Adopted by ...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain/
• Blog Title: The Proliferation of DarkSword: iOS Exploit Chain Adopted by Multiple Threat Actors
• Suggested Section: Mobile Pentesting -> iOS Pentesting (add subsection on iOS web exploit delivery/staging tradecraft: hidden iframes, worker-from-blob loaders, Safari forcing via x-safari-https) ; optionally cross-link from Pentesting Web -> XSS/XS-Leaks/Browser exploitation notes ("multi-stage loader via iframe + document.write" patterns) but primary home should be iOS

🎯 Content Summary

Title/date/source: “The Proliferation of DarkSword: iOS Exploit Chain Adopted by Multiple Threat Actors” (Google Threat Intelligence Group / Google Cloud Blog), published March 18, 2026.

What DarkSword is (impact & severity)
DarkSword is an in-the-wild iOS full-chain exploit (exploit kit) observed since at least November 2025, used by multiple commercial surveillance vendors and suspected state-sponsored actors in distinct campaigns targeting users...

🔧 Technical Details

1. Multi-stage iOS web exploit delivery via hidden iframes: Use a landing page that gates execution (e.g., !sessionStorage.getItem('uid')) to prevent reinfection and evade analysis, then dynamically inject a hidden/off-screen <iframe> to a staging page (e.g., frame.html?{Math.random()}). The staging HTML can inject the main loader using document.write() to create a script tag for the loader (e.g., rce_loader.js). The loader can synchronously fetch subsequent exploit stages with XMLHttpRequest (open(..., false)) and run them as worker-like code by converting fetched JS into a Blob and executing it via URL.createObjectURL().
   
   2) Forcing Safari to hit the WebKit/JSC attack surface: If a victim opens a lure in a non-target browser on iOS (e.g., Chrome), redirect using the x-safari-https:// protocol handler to force the same URL to ope...

🤖 Agent Actions

Summary:

• Added a new “iOS Web Exploit Delivery & Staging Tradecraft” section to src/mobile-pentesting/ios-pentesting/ios-webviews.md with concise patterns from the DarkSword report (hidden iframes, loader injection, sync XHR, Blob workers, Safari forcing, encrypted stage fetch, watering-hole iframe sandboxing, and anti-forensics indicators).
• Appended the DarkSword blog URL to the References section in src/mobile-pentesting/ios-pentesting/ios-webviews.md.

Tests:

• Not run (docs-only change).

If you want, I can also tighten the wording further or relocate this section to a different iOS page.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain/

Content Categories: Based on the analysis, this content was categorized under "Mobile Pentesting -> iOS Pentesting (add subsection on iOS web exploit delivery/staging tradecraft: hidden iframes, worker-from-blob loaders, Safari forcing via x-safari-https) ; optionally cross-link from Pentesting Web -> XSS/XS-Leaks/Browser exploitation notes ("multi-stage loader via iframe + document.write" patterns) but primary home should be iOS".

Repository Maintenance:

• MD Files Formatting: 954 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0