Apple DarkSword: WebKit Buffer Overflow Exploited in iOS Spy Campaign

Imagine visiting a website that secretly crashes a part of your iPhone's brain — before you've even clicked anything. That's essentially what CVE-2025-31277 allows.

WebKit is the engine under the hood of Safari and all iOS browsers (yes, even Chrome and Firefox on iPhone use it — Apple requires it). This vulnerability is a "buffer overflow," meaning an attacker can trick WebKit into writing data outside its allowed memory space — like scribbling outside the lines of a coloring book, except the "scribble" is malicious code that takes over your device.

Google's Threat Intelligence Group discovered this as part of a six-vulnerability exploit chain called **DarkSword**. Multiple hacking groups — including commercial spyware vendors and suspected Russian and other state-backed hackers — have been using DarkSword in the wild since at least November 2025. Targets include individuals in Saudi Arabia, Turkey, Malaysia, and Ukraine.

Once DarkSword lands on your device, it deploys one of three malware families: GHOSTBLADE, GHOSTKNIFE, or GHOSTSABER — all built for covert surveillance.

**The good news:** Apple has patched this in iOS 18.6, iPadOS 18.6, macOS Sequoia 15.6, Safari 18.6, watchOS 11.6, tvOS 18.6, and visionOS 2.6. Update now.