Today's Core Dump is brought to you by ThreatPerspective

Threat Intelligence

The Proliferation of DarkSword: iOS Exploit Chain Adopted by Multiple Threat Actors

Context

2e5a56beb63f21d9347310412ae6efb29fd3db2d3a3fc0798865a29a3c578d35

UNC6353

Extracted GHOSTBLADE sample

























Detections

YARA Rules


rule G_Backdoor_GHOSTKNIFE_1 { meta: author = "Google Threat Intelligence Group (GTIG)" strings: $ = "server_pub_ex" $ = "client_pri_ds" $ = "getfilebyExtention" $ = "getContOfFilesForModule" $ = "carPlayConnectionState" $ = "saveRecordingApp" $ = "getLastItemBack" $ = "the inherted class" $ = "passExtetion" condition: filesize < 10MB and not (uint16be(0) == 0x504b or uint32be(0) == 0x6465780a or uint16be(0) == 0x4d5a or uint32be(0) == 0x377abcaf) and 4 of them }

rule G_Backdoor_GHOSTSABER_1 { meta: author = "Google Threat Intelligence Group (GTIG)" strings: $ = "sendDeviceInfoJson" $ = "merge2AppLists" $ = "send_command_to_upper_process" $ = "ChangeStatusCheckSleepInterval" $ = "SendRegEx" $ = "evalJsResponse.json" $ = "sendSimpleUploadJsonObject" $ = "device_info_all" $ = "getPayloadForSimpleStatusRequest" condition: filesize < 10MB and not (uint16be(0) == 0x504b or uint32be(0) == 0x6465780a or uint16be(0) == 0x4d5a or uint32be(0) == 0x377abcaf) and 4 of them }

rule G_Datamine_GHOSTBLADE_1 { meta: author = "Google Threat Intelligence Group (GTIG)" strings: $ = "/private/var/tmp/wifi_passwords.txt" $ = "/private/var/tmp/wifi_passwords_securityd.txt" $ = "/.com.apple.mobile_container_manager.metadata.plist" fullword $ = "X-Device-UUID: ${" $ = "/installed_apps.txt" fullword $ = "icloud_dump_" fullword condition: filesize < 10MB and not (uint16be(0) == 0x504b or uint32be(0) == 0x6465780a or uint16be(0) == 0x4d5a or uint32be(0) == 0x377abcaf) and 3 of them }

rule G_Hunting_DarkSwordExploitChain_ImplantLib_FilePaths_1 { meta: author = "Google Threat Intelligence Group (GTIG)" strings: $ = "src/InjectJS.js" $ = "src/libs/Chain/Chain.js" $ = "src/libs/Chain/Native.js" $ = "src/libs/Chain/OffsetsStruct.js" $ = "src/libs/Driver/Driver.js" $ = "src/libs/Driver/DriverNewThread.js" $ = "src/libs/Driver/Offsets.js" $ = "src/libs/Driver/OffsetsTable.js" $ = "src/libs/JSUtils/FileUtils.js" $ = "src/libs/JSUtils/Logger.js" $ = "src/libs/JSUtils/Utils.js" $ = "src/libs/TaskRop/Exception.js" $ = "src/libs/TaskRop/ExceptionMessageStruct.js" $ = "src/libs/TaskRop/ExceptionReplyStruct.js" $ = "src/libs/TaskRop/MachMsgHeaderStruct.js" $ = "src/libs/TaskRop/PAC.js" $ = "src/libs/TaskRop/PortRightInserter.js" $ = "src/libs/TaskRop/RegistersStruct.js" $ = "src/libs/TaskRop/RemoteCall.js" $ = "src/libs/TaskRop/Sandbox.js" $ = "src/libs/TaskRop/SelfTaskStruct.js" $ = "src/libs/TaskRop/Task.js" $ = "src/libs/TaskRop/TaskRop.js" $ = "src/libs/TaskRop/Thread.js" $ = "src/libs/TaskRop/ThreadState.js" $ = "src/libs/TaskRop/VM.js" $ = "src/libs/TaskRop/VmMapEntry.js" $ = "src/libs/TaskRop/VMObject.js" $ = "src/libs/TaskRop/VmPackingParams.js" $ = "src/libs/TaskRop/VMShmem.js" $ = "src/MigFilterBypassThread.js" condition: any of them }



Published: 2026-03-18T14:00:00











© Segmentation Fault . All rights reserved.

Privacy | Terms of Use | Contact Us