"The first adversary observed using the exploit chain is UNC6748, in attacks targeting Saudi Arabian users via a website impersonating Snapchat.

GTIG says that in late November 2025, DarkSword was used in Turkey, in activity associated with PARS Defense, a Turkish commercial surveillance vendor, on devices running  iOS 18.4-18.7.

"Unlike the UNC6748 activity, this campaign was carried out with more attention to OPSEC, with obfuscation applied to the exploit loader and some of the exploit stages, and the use of ECDH and AES to encrypt exploits between the server and the victim," GTIG notes."

tech

"The first adversary observed using the exploit chain is UNC6748, in attacks targeting Saudi Arabian users via a website impersonating Snapchat.

GTIG says that in late November 2025, DarkSword was used in Turkey, in activity associated with PARS Defense, a Turkish commercial surveillance vendor, on devices running  iOS 18.4-18.7.

"Unlike the UNC6748 activity, this campaign was carried out with more attention to OPSEC, with obfuscation applied to the exploit loader and some of the exploit stages, and the use of ECDH and AES to encrypt exploits between the server and the victim," GTIG notes."