| SYMBOL | COMMON_NAME | aka. SYNONYMS |
UNC6748 targets users in Saudi Arabia through a fake Snapchat website, employing a backdoor known as GHOSTKNIFE for data exfiltration. Their exploitation process initially featured basic obfuscation, which evolved to include anti-debugging measures. The actor primarily leveraged CVE-2025-31277 and CVE-2026-20700 for RCE exploits, but exhibited inconsistencies in exploit support for different iOS versions. Additionally, UNC6748's delivery mechanisms incorporated session storage checks to manage infection attempts.
There are currently no families associated with this actor.
| 2026-03-18
⋅
Google
⋅
The Proliferation of DarkSword: iOS Exploit Chain Adopted by Multiple Threat Actors GHOSTBLADE UNC6748 |