Google Flags Ghostblade Crypto-Stealing Malware Targeting iOS Devices, Part of DarkSword Exploit Chain

Google Threat Intelligence has uncovered a sophisticated cybersecurity threat targeting iOS devices through the DarkSword exploit chain.

“Table of Contents Google researchers have identified a new exploit chain targetingApple iOS devices”

Blockonomi

This exploit chain deploys Ghostblade malware specifically designed to steal cryptocurrency and sensitive user data.

Blockonomi

The malware is JavaScript-based and represents a significant evolution in cyber threats.

It combines multiple vulnerabilities to compromise devices running iOS versions 18.4 through 18.7.

The malware does not require additional plug-ins or run continuously on infected devices.

Its stealthy nature is enhanced by its ability to delete crash reports, making detection difficult.

According to Google researchers, this threat highlights evolving methods used by malicious actors to steal crypto and sensitive data.

Ghostblade malware exhibits extensive data theft capabilities beyond just cryptocurrency information.

It targets a comprehensive range of sensitive user data across multiple messaging and communication platforms.

Cointelegraph

The malware can access and relay messaging data from Apple's iMessage application.

It also targets popular third-party platforms like Telegram and WhatsApp.

Beyond communications, it steals SIM card information, identity data, multimedia files, and geolocation information.

According to Google cybersecurity reports, the malware operates with a unique 'hit-and-run' methodology.

It activates, extracts all available data, then deletes its temporary files and terminates itself.

This approach allows it to steal call history, contacts, Wi-Fi passwords, browsing history, location data, health data, photos, saved passwords, and message history before becoming invisible to security monitoring.

The DarkSword exploit chain specifically targets major cryptocurrency applications.

“In brief - Google researchers have identified an iOS exploit chain called DarkSword that works against iPhones running iOS versions 18”

Decrypt

This demonstrates a clear focus on financial theft through specialized malware design.

Google researchers have identified that Ghostblade actively seeks out major crypto exchange applications including Coinbase, Binance, Kraken, Kucoin, OKX, and MEXC.

It also targets popular crypto wallet platforms like Ledger, Trezor, MetaMask, Exodus, Uniswap, Phantom, and Gnosis Safe.

This targeted approach indicates sophisticated knowledge of the cryptocurrency ecosystem.

The malware was specifically designed to compromise digital wallets and exchanges where valuable assets are stored.

The combination of comprehensive data theft with specific targeting of crypto applications creates a dual threat.

This dual threat compromises both user privacy and enables direct financial theft through compromised credentials and private keys.

Multiple actors are currently deploying the DarkSword exploit chain across different regions.

This indicates a widespread and coordinated cybercriminal campaign.

Blockonomi

Security researchers have observed campaigns targeting users in Saudi Arabia, Turkey, Malaysia, and Ukraine.

Some attacks have specifically compromised government websites to increase credibility and reach.

In Saudi Arabia, attackers have been using fake Snapchat lookalike applications to lure victims.

In Ukraine, compromised government websites have been used as distribution vectors.

The involvement of both commercial spyware vendors and state-backed groups suggests this exploit represents a valuable tool.

This geographic distribution highlights the global nature of the threat and the need for international cooperation in cybersecurity defense.

The February 2026 cybersecurity landscape reveals a significant shift in attack methodologies.

“Table of Contents Google researchers have identified a new exploit chain targetingApple iOS devices”

Blockonomi

Losses from crypto hacks dropped dramatically from $385 million in January to just $49 million.

Cointelegraph

This decrease comes from blockchain intelligence platform Nominis.

The decrease reflects a strategic pivot by malicious actors away from code-based cyber threats.

Attackers are now focusing on crypto phishing attempts and wallet poisoning attacks.

These new threats exploit human error rather than technical vulnerabilities.

The emergence of sophisticated, short-duration malware like Ghostblade represents this new paradigm.

Instead of complex, persistent campaigns, attackers deploy quick, stealthy tools that extract data and disappear.

This shift underscores the need for both technical safeguards and user education to defend against increasingly sophisticated attacks.

Industry experts emphasize that cross-sector collaboration represents the most effective defense against rapidly evolving cyber threats.

As Google Threat Intelligence and other security researchers continue to track DarkSword-linked activity, monitoring organizations should prioritize updates on iOS exploit chains.

They should also watch for the emergence of similarly stealthy, short-duration malware.

For individual users and organizations, key defensive measures include staying informed about threat intelligence.

Sources like Google Threat Intelligence's reporting on DarkSword and related iOS exploits are essential.

Ongoing analyses from blockchain security researchers like Nominis provide valuable insights.

Major platforms are expected to adapt their anti-phishing and fraud-prevention measures.

The effectiveness of these defenses will depend on continuous monitoring and rapid information sharing.

Adaptive security strategies that can keep pace with sophisticated tools are crucial for defending cryptocurrency ecosystems.