Skip to content
Tech News
← Back to articles

CISA orders feds to patch DarkSword iOS flaws exploited attacks

2026-03-23 | original
read original get iOS Security Patch Kit → more articles
Why This Matters

The recent CISA directive to patch iOS vulnerabilities exploited by the DarkSword exploit kit underscores the ongoing threat of cyber-espionage and targeted attacks on mobile devices. As threat actors leverage sophisticated exploits for surveillance and data theft, timely updates are crucial for safeguarding sensitive information and maintaining security in the tech ecosystem.

Key Takeaways

CISA ordered U.S. government agencies to patch three iOS vulnerabilities targeted in cryptocurrency theft and cyberespionage attacks using the DarkSword exploit kit.

As Google Threat Intelligence Group (GTIG) and iVerify researchers revealed last week, the DarkSword delivery framework abuses a chain of six vulnerabilities tracked as CVE-2025-31277, CVE-2025-43529, CVE-2026-20700, CVE-2025-14174, CVE-2025-43510, and CVE-2025-43520.

These flaws enable attackers to escape sandboxes, escalate privileges, and gain remote code execution on unpatched iPhones, but have all been patched by Apple in the latest iOS releases and now only affect iPhones running iOS 18.4 through 18.7.

DarkSword was also linked by security researchers to multiple threat groups, including UNC6748, a customer of Turkish commercial surveillance vendor PARS Defense, and a suspected Russian espionage group tracked as UNC6353.

In these attacks, GTIG observed three separate information-theft malware families dropped on victims' devices: a very aggressive JavaScript infostealer named GhostBlade, the GhostKnife backdoor that can exfiltrate large swaths of data, and the GhostSaber JavaScript that executes code and also steals victims' data.

Of the three, UNC6353 deployed both the DarkSword and Coruna iOS exploit kits in watering-hole attacks targeting iPhone users visiting compromised Ukrainian websites of e-commerce, industrial equipment, and local services organizations.

Threat groups using the DarkSword exploit kit (GTIG)

​Notably, DarkSword wipes temporary files and exits after stealing data from infected devices, indicating that it was designed for short-term surveillance operations designed to evade detection.

Mobile security company Lookout, which discovered DarkSword while investigating infrastructure used in the Coruna attacks, believes that DarkSword is used in cyber-espionage campaigns aligned with Russian intelligence requirements and by a Russian threat actor with financial objectives.

On Friday, CISA added three of the 6 DarkSword vulnerabilities (CVE-2025-31277, CVE-2025-43510, and CVE-2025-43520) to its catalog of actively exploited security flaws, ordering Federal Civilian Executive Branch (FCEB) agencies to secure their devices within two weeks by April 3, as mandated by Binding Operational Directive (BOD) 22-01.

... continue reading

Explore topics: darksword ios cisa unc6748 ghostblade
Related:
Bring the Volume Bar Back to Your iPhone's Lock Screen in 4 Easy Steps
Samsung's Galaxy S26 Phones Will Work With Apple's AirDrop, Much Like the Pixel 10
Apple already has the perfect platform for deploying conversational AI
Teaching Claude to QA a mobile app
Stretch Your Tech Budget with This $200 MacBook Air

© 2026 GoKawiil

About | Editorial Policy | Contact