{ "type": "URL", "indicator": "https://snapshare.chat/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://snapshare.chat/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4272610401, "indicator": "https://snapshare.chat/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "69bac861fe18a3b724f976fe", "name": "The Proliferation of DarkSword: iOS Exploit Chain Adopted by Multiple Threat Actors", "description": "Google Threat Intelligence Group has identified a new iOS full-chain exploit called DarkSword, which leverages multiple zero-day vulnerabilities to compromise devices running iOS 18.4 through 18.7. Since November 2025, multiple commercial surveillance vendors and suspected state-sponsored actors have been observed using DarkSword in campaigns targeting users in Saudi Arabia, Turkey, Malaysia, and Ukraine. The exploit chain utilizes six different vulnerabilities to deploy final-stage payloads, including three distinct malware families: GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER. The proliferation of DarkSword across various threat actors mirrors the previously discovered Coruna iOS exploit kit. Notable users include UNC6353, a suspected Russian espionage group, which has incorporated DarkSword into their watering hole campaigns targeting Ukrainian websites.", "modified": "2026-03-18T16:29:12.361000", "created": "2026-03-18T15:44:33.832000", "tags": [ "cve-2025-43510", "state-sponsored", "coruna", "ghostsaber", "ios", "commercial surveillance", "cve-2025-43520", "cve-2026-20700", "ghostblade", "zero-day", "darksword", "cve-2025-31277", "watering hole", "exploit chain", "cve-2025-43529", "cve-2025-14174", "ghostknife" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain" ], "public": 1, "adversary": "", "targeted_countries": [ "Malaysia", "Saudi Arabia", "Ukraine" ], "malware_families": [ { "id": "GHOSTBLADE", "display_name": "GHOSTBLADE", "target": null }, { "id": "GHOSTKNIFE", "display_name": "GHOSTKNIFE", "target": null }, { "id": "GHOSTSABER", "display_name": "GHOSTSABER", "target": null } ], "attack_ids": [ { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1562.004", "name": "Disable or Modify System Firewall", "display_name": "T1562.004 - Disable or Modify System Firewall" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 6, "FileHash-SHA256": 1, "URL": 3, "FileHash-SHA1": 4, "domain": 4, "hostname": 3 }, "indicator_count": 21, "is_author": false, "is_subscribing": null, "subscriber_count": 386790, "modified_text": "75 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69bd12b0ef9ff384d0486608", "name": "The Proliferation of DarkSword: iOS Exploit Chain Adopted by Multiple Threat Actors", "description": "The Google Threat Intelligence Group (GTIG) has identified a sophisticated exploit chain named DarkSword, specifically targeting iOS versions 18.4 to 18.7. This exploit encompasses multiple zero-day vulnerabilities, enabling full device compromise. DarkSword has been utilized by several threat actors, including commercial surveillance vendors and suspected state-sponsored groups, in various campaigns against targets across Saudi Arabia, Turkey, Malaysia, and Ukraine since late 2025. It has been observed that three malware families, GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER, were deployed following successful infiltrations.", "modified": "2026-04-19T09:39:09.842000", "created": "2026-03-20T09:26:08.482000", "tags": [ "figure", "darksword", "unc6748", "gtig", "november", "pars defense", "c2 server", "strong", "ghostknife", "unc6353", "coruna", "iframe", "body", "code", "title", "life", "next", "contact", "ukraine", "null", "meta", "telegram", "exploit", "patched", "loader", "virustotal", "ransomware", "look", "powerful" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain/" ], "public": 1, "adversary": "Unc6353", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" } ], "industries": [ "Government", "Healthcare" ], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "FileHash-SHA256": 1, "URL": 3, "YARA": 4, "domain": 4, "hostname": 3 }, "indicator_count": 21, "is_author": false, "is_subscribing": null, "subscriber_count": 542, "modified_text": "43 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69bbbb60a8390fc9a5e0e715", "name": "EbeeMar2026 Pt4", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-04-18T08:06:12.483000", "created": "2026-03-19T09:01:20.593000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "email", "xdsfeerdfbn", "chlg url" ], "references": [ "IOCs.2026.4.csv" ], "public": 1, "adversary": "Operation GhostMail, CastleRAT, UNK_NightOwl, Fake Shipment Tracking Scams in MEA, Fake Claude Code ", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 77, "FileHash-MD5": 122, "FileHash-SHA1": 103, "FileHash-SHA256": 164, "CVE": 25, "URL": 58, "domain": 107, "email": 30 }, "indicator_count": 686, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "44 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69bb262fdead7ce1df833329", "name": "The Proliferation of DarkSword: iOS Exploit Chain Adopted by Multiple Threat Actors", "description": "", "modified": "2026-03-18T22:24:47.577000", "created": "2026-03-18T22:24:47.577000", "tags": [ "cve-2025-43510", "state-sponsored", "coruna", "ghostsaber", "ios", "commercial surveillance", "cve-2025-43520", "cve-2026-20700", "ghostblade", "zero-day", "darksword", "cve-2025-31277", "watering hole", "exploit chain", "cve-2025-43529", "cve-2025-14174", "ghostknife" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain" ], "public": 1, "adversary": "", "targeted_countries": [ "Malaysia", "Saudi Arabia", "Ukraine" ], "malware_families": [ { "id": "GHOSTBLADE", "display_name": "GHOSTBLADE", "target": null }, { "id": "GHOSTKNIFE", "display_name": "GHOSTKNIFE", "target": null }, { "id": "GHOSTSABER", "display_name": "GHOSTSABER", "target": null } ], "attack_ids": [ { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1562.004", "name": "Disable or Modify System Firewall", "display_name": "T1562.004 - Disable or Modify System Firewall" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": "69bac861fe18a3b724f976fe", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "FileHash-SHA256": 1, "URL": 3, "FileHash-SHA1": 4, "domain": 4, "hostname": 3 }, "indicator_count": 21, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "75 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "IOCs.2026.4.csv", "https://cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain", "https://cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain/" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Ghostknife", "Ghostsaber", "Ghostblade" ], "industries": [ "Government" ], "unique_indicators": 21 }, "other": { "adversary": [ "Unc6353", "Operation GhostMail, CastleRAT, UNK_NightOwl, Fake Shipment Tracking Scams in MEA, Fake Claude Code " ], "malware_families": [ "Ghostknife", "Ghostsaber", "Ghostblade" ], "industries": [ "Healthcare", "Government" ], "unique_indicators": 804 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/snapshare.chat", "whois": "http://whois.domaintools.com/snapshare.chat", "domain": "snapshare.chat", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "69bac861fe18a3b724f976fe", "name": "The Proliferation of DarkSword: iOS Exploit Chain Adopted by Multiple Threat Actors", "description": "Google Threat Intelligence Group has identified a new iOS full-chain exploit called DarkSword, which leverages multiple zero-day vulnerabilities to compromise devices running iOS 18.4 through 18.7. Since November 2025, multiple commercial surveillance vendors and suspected state-sponsored actors have been observed using DarkSword in campaigns targeting users in Saudi Arabia, Turkey, Malaysia, and Ukraine. The exploit chain utilizes six different vulnerabilities to deploy final-stage payloads, including three distinct malware families: GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER. The proliferation of DarkSword across various threat actors mirrors the previously discovered Coruna iOS exploit kit. Notable users include UNC6353, a suspected Russian espionage group, which has incorporated DarkSword into their watering hole campaigns targeting Ukrainian websites.", "modified": "2026-03-18T16:29:12.361000", "created": "2026-03-18T15:44:33.832000", "tags": [ "cve-2025-43510", "state-sponsored", "coruna", "ghostsaber", "ios", "commercial surveillance", "cve-2025-43520", "cve-2026-20700", "ghostblade", "zero-day", "darksword", "cve-2025-31277", "watering hole", "exploit chain", "cve-2025-43529", "cve-2025-14174", "ghostknife" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain" ], "public": 1, "adversary": "", "targeted_countries": [ "Malaysia", "Saudi Arabia", "Ukraine" ], "malware_families": [ { "id": "GHOSTBLADE", "display_name": "GHOSTBLADE", "target": null }, { "id": "GHOSTKNIFE", "display_name": "GHOSTKNIFE", "target": null }, { "id": "GHOSTSABER", "display_name": "GHOSTSABER", "target": null } ], "attack_ids": [ { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1562.004", "name": "Disable or Modify System Firewall", "display_name": "T1562.004 - Disable or Modify System Firewall" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 6, "FileHash-SHA256": 1, "URL": 3, "FileHash-SHA1": 4, "domain": 4, "hostname": 3 }, "indicator_count": 21, "is_author": false, "is_subscribing": null, "subscriber_count": 386790, "modified_text": "75 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69bd12b0ef9ff384d0486608", "name": "The Proliferation of DarkSword: iOS Exploit Chain Adopted by Multiple Threat Actors", "description": "The Google Threat Intelligence Group (GTIG) has identified a sophisticated exploit chain named DarkSword, specifically targeting iOS versions 18.4 to 18.7. This exploit encompasses multiple zero-day vulnerabilities, enabling full device compromise. DarkSword has been utilized by several threat actors, including commercial surveillance vendors and suspected state-sponsored groups, in various campaigns against targets across Saudi Arabia, Turkey, Malaysia, and Ukraine since late 2025. It has been observed that three malware families, GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER, were deployed following successful infiltrations.", "modified": "2026-04-19T09:39:09.842000", "created": "2026-03-20T09:26:08.482000", "tags": [ "figure", "darksword", "unc6748", "gtig", "november", "pars defense", "c2 server", "strong", "ghostknife", "unc6353", "coruna", "iframe", "body", "code", "title", "life", "next", "contact", "ukraine", "null", "meta", "telegram", "exploit", "patched", "loader", "virustotal", "ransomware", "look", "powerful" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain/" ], "public": 1, "adversary": "Unc6353", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" } ], "industries": [ "Government", "Healthcare" ], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "FileHash-SHA256": 1, "URL": 3, "YARA": 4, "domain": 4, "hostname": 3 }, "indicator_count": 21, "is_author": false, "is_subscribing": null, "subscriber_count": 542, "modified_text": "43 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69bbbb60a8390fc9a5e0e715", "name": "EbeeMar2026 Pt4", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-04-18T08:06:12.483000", "created": "2026-03-19T09:01:20.593000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "email", "xdsfeerdfbn", "chlg url" ], "references": [ "IOCs.2026.4.csv" ], "public": 1, "adversary": "Operation GhostMail, CastleRAT, UNK_NightOwl, Fake Shipment Tracking Scams in MEA, Fake Claude Code ", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 77, "FileHash-MD5": 122, "FileHash-SHA1": 103, "FileHash-SHA256": 164, "CVE": 25, "URL": 58, "domain": 107, "email": 30 }, "indicator_count": 686, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "44 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69bb262fdead7ce1df833329", "name": "The Proliferation of DarkSword: iOS Exploit Chain Adopted by Multiple Threat Actors", "description": "", "modified": "2026-03-18T22:24:47.577000", "created": "2026-03-18T22:24:47.577000", "tags": [ "cve-2025-43510", "state-sponsored", "coruna", "ghostsaber", "ios", "commercial surveillance", "cve-2025-43520", "cve-2026-20700", "ghostblade", "zero-day", "darksword", "cve-2025-31277", "watering hole", "exploit chain", "cve-2025-43529", "cve-2025-14174", "ghostknife" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain" ], "public": 1, "adversary": "", "targeted_countries": [ "Malaysia", "Saudi Arabia", "Ukraine" ], "malware_families": [ { "id": "GHOSTBLADE", "display_name": "GHOSTBLADE", "target": null }, { "id": "GHOSTKNIFE", "display_name": "GHOSTKNIFE", "target": null }, { "id": "GHOSTSABER", "display_name": "GHOSTSABER", "target": null } ], "attack_ids": [ { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1562.004", "name": "Disable or Modify System Firewall", "display_name": "T1562.004 - Disable or Modify System Firewall" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": "69bac861fe18a3b724f976fe", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "FileHash-SHA256": 1, "URL": 3, "FileHash-SHA1": 4, "domain": 4, "hostname": 3 }, "indicator_count": 21, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "75 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://snapshare.chat/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://snapshare.chat/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780366371.7201462 }