INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).

DarkSword Exploit Tool Used in Global Attacks

| 2026-03-23 08:37 CRITICAL MEDIUM
JSON
Executive Summary AI-generated
The DarkSword exploit kit, a sophisticated cyber-espionage framework, has been linked to multiple threat groups and Russian intelligence agencies. Its delivery mechanism exploits six vulnerabilities tracked as CVE-2025-31277 through CVE-2025-43520 in iOS devices. These flaws enable attackers to escape sandboxes, escalate privileges, and gain remote code execution on unpatched iPhones. The kit was used in watering-hole attacks targeting Ukrainian websites of e-commerce, industrial equipment, and local services organizations. CISA has ordered federal agencies to secure their devices within two weeks by April 3, as mandated by Binding Operational Directive (BOD) 22-01.
Technical Mitigations AI-generated
* Implement secure coding practices: Ensure that developers and maintainers of iOS applications use secure coding practices, such as input validation and sanitization, to prevent exploitation of vulnerabilities like those found in DarkSword. * Use up-to-date security patches: Regularly update iPhone software with the latest security patches to ensure that known vulnerabilities are addressed before they can be exploited by attackers. * Implement sandboxing and isolation: Use robust sandboxes and isolation mechanisms to limit the attack surface of iOS devices, making it more difficult for attackers to escape or escalate privileges. * Monitor for suspicious activity: Continuously monitor iPhone usage patterns and detect any unusual behavior that may indicate a threat is present on an infected device.
Technical Observables
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
CVE-2026-20700CVE-2026-20700 CVE-2025-43529CVE-2025-43529 CVE-2020-27950CVE-2020-27950 CVE-2022-48503CVE-2022-48503 CVE-2025-43510CVE-2025-43510 CVE-2024-23225CVE-2024-23225 CVE-2023-32434CVE-2023-32434 CVE-2023-41974CVE-2023-41974 CVE-2025-31277CVE-2025-31277 CVE-2023-32409CVE-2023-32409 CVE-2020-27932CVE-2020-27932 CVE-2021-30952CVE-2021-30952 CVE-2024-23222CVE-2024-23222 CVE-2024-23296CVE-2024-23296 CVE-2025-14174CVE-2025-14174 CVE-2025-43520CVE-2025-43520 CVE-2023-38606CVE-2023-38606 CVE-2023-43000CVE-2023-43000
Target & Sectors
SA MY UA RU CN
governmentgovernment defensedefense
Incident Timeline
February 2025
Threat actors used a previously unseen JavaScript framework delivered by an iOS exploit chain from a surveillance vendor's customer to target the Ios.
infrastructure Ios
Initial discovery occurred in February 2025 when GTIG captured a previously unseen JavaScript framework delivering an iOS exploit chain from a surveillance vendor’s customer.
“In February 2025, we captured parts of an iOS exploit chain used by a customer of a surveillance company.”  reads the report published by GTIG .
tactic T1059.007 - JavaScript
Initial discovery occurred in February 2025 when GTIG captured a previously unseen JavaScript framework delivering an iOS exploit chain from a surveillance vendor’s customer.
late 2025
Threat actors used a new iOS exploit kit called DarkSword to target surveillance vendors and likely nation-state actors.
infrastructure Ios
Lookout Threat Labs discovered a new iOS exploit kit called DarkSword that has been used since late 2025 by multiple threat actors, including surveillance vendors and likely nation-state actors.
Recently, Lookout Threat Labs discovered a new iOS exploit kit called DarkSword that has been used since late 2025 by multiple threat actors, including  surveillance vendors  and likely nation-state actors.
organisation Lookout Threat Labs
Lookout Threat Labs discovered a new iOS exploit kit called DarkSword that has been used since late 2025 by multiple threat actors, including surveillance vendors and likely nation-state actors.
organisation iVerify
Further analysis revealed a new exploit chain, later named DarkSword, discovered in late 2025 through joint research by Lookout, iVerify, and Google, confirming a distinct and evolving threat.
organisation Google
Further analysis revealed a new exploit chain, later named DarkSword, discovered in late 2025 through joint research by Lookout, iVerify, and Google, confirming a distinct and evolving threat.
November 2025
Threat actors used DarkSword to exploit vulnerabilities in iOS devices.
March 11, 2026
Threat actors used a vulnerability in DarkSword iOS to exploit attacks on affected devices.
infrastructure Ios
If your iPhone runs an older iOS version, take action: Devices on iOS 15 to iOS 26 are already protected if fully updated Apple released updates on March 11, 2026, to extend protection to iOS 15 and 16 devices Devices on iOS 13 or 14 must upgrade to iOS 15 and install a Critical Security Update Safari’s Safe Browsing feature helps block known malicious domains by default Updating ensures user data remains secure.
organisation Safari’s Safe Browsing
If your iPhone runs an older iOS version, take action: Devices on iOS 15 to iOS 26 are already protected if fully updated Apple released updates on March 11, 2026, to extend protection to iOS 15 and 16 devices Devices on iOS 13 or 14 must upgrade to iOS 15 and install a Critical Security Update Safari’s Safe Browsing feature helps block known malicious domains by default Updating ensures user data remains secure.
infrastructure 15 devices Devices
If your iPhone runs an older iOS version, take action: Devices on iOS 15 to iOS 26 are already protected if fully updated Apple released updates on March 11, 2026, to extend protection to iOS 15 and 16 devices Devices on iOS 13 or 14 must upgrade to iOS 15 and install a Critical Security Update Safari’s Safe Browsing feature helps block known malicious domains by default Updating ensures user data remains secure.
2026-03-16
Threat actors used a combination of CVE-2025-31277, CVE-2026-20700, and CVE-2025-43529 vulnerabilities exploited attacks on the DarkSword iOS delivery framework.
vulnerability CVE-2025-31277
As Google Threat Intelligence Group (GTIG) and iVerify researchers revealed last week , the DarkSword delivery framework abuses a chain of six vulnerabilities tracked as CVE-2025-31277, CVE-2025-43529, CVE-2026-20700, CVE-2025-14174, CVE-2025-43510, and CVE-2025-43520.
vulnerability CVE-2026-20700
As Google Threat Intelligence Group (GTIG) and iVerify researchers revealed last week , the DarkSword delivery framework abuses a chain of six vulnerabilities tracked as CVE-2025-31277, CVE-2025-43529, CVE-2026-20700, CVE-2025-14174, CVE-2025-43510, and CVE-2025-43520.
attribution CVE-2025-43529
As Google Threat Intelligence Group (GTIG) and iVerify researchers revealed last week , the DarkSword delivery framework abuses a chain of six vulnerabilities tracked as CVE-2025-31277, CVE-2025-43529, CVE-2026-20700, CVE-2025-14174, CVE-2025-43510, and CVE-2025-43520.
vulnerability CVE-2025-14174
As Google Threat Intelligence Group (GTIG) and iVerify researchers revealed last week , the DarkSword delivery framework abuses a chain of six vulnerabilities tracked as CVE-2025-31277, CVE-2025-43529, CVE-2026-20700, CVE-2025-14174, CVE-2025-43510, and CVE-2025-43520.
attribution CVE-2025-43510
As Google Threat Intelligence Group (GTIG) and iVerify researchers revealed last week , the DarkSword delivery framework abuses a chain of six vulnerabilities tracked as CVE-2025-31277, CVE-2025-43529, CVE-2026-20700, CVE-2025-14174, CVE-2025-43510, and CVE-2025-43520.
vulnerability CVE-2025-43520
As Google Threat Intelligence Group (GTIG) and iVerify researchers revealed last week , the DarkSword delivery framework abuses a chain of six vulnerabilities tracked as CVE-2025-31277, CVE-2025-43529, CVE-2026-20700, CVE-2025-14174, CVE-2025-43510, and CVE-2025-43520.
attribution Google Threat Intelligence Group
As Google Threat Intelligence Group (GTIG) and iVerify researchers revealed last week , the DarkSword delivery framework abuses a chain of six vulnerabilities tracked as CVE-2025-31277, CVE-2025-43529, CVE-2026-20700, CVE-2025-14174, CVE-2025-43510, and CVE-2025-43520.
attribution iVerify
As Google Threat Intelligence Group (GTIG) and iVerify researchers revealed last week , the DarkSword delivery framework abuses a chain of six vulnerabilities tracked as CVE-2025-31277, CVE-2025-43529, CVE-2026-20700, CVE-2025-14174, CVE-2025-43510, and CVE-2025-43520.
attribution CVE-2025
As Google Threat Intelligence Group (GTIG) and iVerify researchers revealed last week , the DarkSword delivery framework abuses a chain of six vulnerabilities tracked as CVE-2025-31277, CVE-2025-43529, CVE-2026-20700, CVE-2025-14174, CVE-2025-43510, and CVE-2025-43520.
2026-03-23
The threat actors behind the exploit kit, UNC6353, used advanced iOS exploit chains in watering hole attacks on Ukrainian websites.
infrastructure Ios
DarkSword emerges as powerful iOS exploit tool in global attacks DarkSword, a new iOS exploit kit, is used by multiple actors to steal data in campaigns targeting Saudi Arabia, Turkey, Malaysia, and Ukraine.
According to Lookout, the actor behind the exploit, UNC6353, remains a largely unknown group but has used advanced iOS exploit chains in watering hole attacks on Ukrainian websites.
Of the three, UNC6353 deployed both the DarkSword and Coruna iOS exploit kits in watering-hole attacks targeting iPhone users visiting compromised Ukrainian websites of e-commerce, industrial equipment, and local services organizations.
DarkSword targets iPhones running iOS 18.4–18.7 and has been used by the suspected Russian-linked group UNC6353 against Ukrainian targets.
DarkSword emerges as powerful iOS exploit tool in global attacks.
The exploit chain relies on six vulnerabilities, three used as zero-days, to achieve full device compromise: CVE-2025-31277 – JavaScriptCore memory corruption ( CVSS: 8.8 ) CVE-2026-20700 – dyld PAC bypass ( CVSS: 8.6 ) (zero-day) CVE-2025-43529 – JavaScriptCore memory corruption ( CVSS: 8.8 ) (zero-day) CVE-2025-14174 – ANGLE memory corruption ( CVSS: 8.8 ) (zero-day) CVE-2025-43510 – iOS kernel memory issue ( CVSS: 8.6 ) CVE-2025-43520 – iOS kernel memory corruption ( CVSS: 8.6 ) Together, these flaws enable full-chain exploitation and complete control of targeted iOS devices.
Malicious iframes loaded scripts to fingerprint devices and target specific iOS versions.
While it initially appeared that this may be another site distributing Coruna, upon closer inspection of the our researchers found that the iframe loads a javascript file called rce_loader.js, which is largely responsible for fingerprinting devices visiting the compromised site in order to determine whether to route the devices to the iOS exploit chain.
However, the script was looking for iOS devices with OS versions 18.4 or 18.6.2, which are iOS versions that are not susceptible to the exploit chains used in Coruna.
An excerpt from rce_loader.js showing that devices with specific iOS versions are routed to different scripts for exploitation based on the version.
DarkSword shows a troubling trend: advanced iOS exploit chains are being sold on a secondary market, letting even less skilled actors launch powerful attacks.
“The discovery of DarkSword as the second iOS exploit chain found in the hands of this at least partially financially motivated threat actor reveals a worrying trend.” concludes the report.
DarkSword targets iPhones running iOS 18.4–18.7 and has been used by the suspected Russian-linked group  UNC6353  against Ukrainian targets.
Apple urges iPhone users to update as Coruna and DarkSword exploit kits emerge Apple warns that outdated iPhones are vulnerable to Coruna and DarkSword exploit kits and urges users to update iOS.
Apple has warned that iPhones running outdated iOS versions are at risk from exploit kits like Coruna and DarkSword .
“Security researchers recently identified web-based attacks that target out-of-date versions of iOS through malicious web content.
For example, if you’re using an older version of iOS and were to click a malicious link or visit a compromised website, the data on your iPhone might be at risk of being stolen.” reads Apple’s advisory .
Devices running the latest iOS versions are not vulnerable, and Lockdown Mode also blocks these attacks, even on older systems, though updates are still strongly recommended.
In February, Google’s Threat Intelligence Group identified a powerful new iOS exploit kit called Coruna (also known as CryptoWaters) that targets Apple iPhones running iOS versions 13.0 through 17.2.1.
While highly capable against iPhones running iOS 13.0 through 17.2.1versions, Coruna is ineffective against the latest iOS release, according to Google.
“The core technical value of this exploit kit lies in its comprehensive collection of iOS exploits, with the most advanced ones using non-public exploitation techniques and mitigation bypasses.”
The framework uses fingerprinting to detect device type and iOS version, then loads the appropriate WebKit RCE exploit and pointer authentication bypass.
One recovered exploit,  CVE-2024-23222 , was later patched in iOS 17.3.
After exploitation, a binary loader deploys encrypted, compressed payloads disguised as .min.js files, tailored to specific chips and iOS versions.
In total, the kit includes 23 exploits covering iOS 13 through 17.2.1, with advanced mitigation bypasses and reusable modules for defeating memory and kernel protections.
The exploit chain relies on six vulnerabilities, three used as zero-days, to achieve full device compromise: CVE-2025-31277 – JavaScriptCore memory corruption ( CVSS: 8.8 ) CVE-2026-20700 – dyld PAC bypass ( CVSS: 8.6 )  (zero-day) CVE-2025-43529 – JavaScriptCore memory corruption ( CVSS: 8.8 )  (zero-day) CVE-2025-14174 – ANGLE memory corruption ( CVSS: 8.8 )  (zero-day) CVE-2025-43510 – iOS kernel memory issue ( CVSS: 8.6 ) CVE-2025-43520 – iOS kernel memory corruption ( CVSS: 8.6 ) Together, these flaws enable full-chain exploitation and complete control of targeted iOS devices.
CISA ordered U.S. government agencies to patch three iOS vulnerabilities targeted in cryptocurrency theft and cyberespionage attacks using the DarkSword exploit kit.
CISA orders feds to patch DarkSword iOS flaws exploited attacks.
These flaws enable attackers to escape sandboxes, escalate privileges, and gain remote code execution on unpatched iPhones, but have all been patched by Apple in the latest iOS releases and now only affect iPhones running iOS 18.4 through 18.7.
organisation Apple
The toolkit enables full-chain attacks to steal sensitive data from Apple devices and has been observed in campaigns targeting countries such as Saudi Arabia, Turkey, Malaysia, and Ukraine.
These flaws enable attackers to escape sandboxes, escalate privileges, and gain remote code execution on unpatched iPhones, but have all been patched by Apple in the latest iOS releases and now only affect iPhones running iOS 18.4 through 18.7.
Apple urges iPhone users to update as Coruna and DarkSword exploit kits emerge.
organisation UNC6353
According to Lookout, the actor behind the exploit, UNC6353, remains a largely unknown group but has used advanced iOS exploit chains in watering hole attacks on Ukrainian websites.
DarkSword targets iPhones running iOS 18.4–18.7 and has been used by the suspected Russian-linked group UNC6353 against Ukrainian targets.
DarkSword was also linked by security researchers to multiple threat groups, including UNC6748, a customer of Turkish commercial surveillance vendor PARS Defense, and a suspected Russian espionage group tracked as UNC6353.
organisation UNC6691
GTIG tracked the use of the exploit in highly targeted attacks by a  surveillance vendor’s customer , in Ukrainian watering hole campaigns by UNC6353 , and later in broad-scale attacks by Chinese financial threat actor UNC6691, showing an active market for “second-hand” zero-day exploits.
organisation iPhones
DarkSword targets iPhones running iOS 18.4–18.7 and has been used by the suspected Russian-linked group UNC6353 against Ukrainian targets.
Apple urges iPhone users to update as Coruna and DarkSword exploit kits emerge Apple warns that outdated iPhones are vulnerable to Coruna and DarkSword exploit kits and urges users to update iOS.
These flaws enable attackers to escape sandboxes, escalate privileges, and gain remote code execution on unpatched iPhones, but have all been patched by Apple in the latest iOS releases and now only affect iPhones running iOS 18.4 through 18.7.
organisation DarkSword
DarkSword emerges as powerful iOS exploit tool in global attacks.
Apple urges iPhone users to update as Coruna and DarkSword exploit kits emerge.
DarkSword was also linked by security researchers to multiple threat groups, including UNC6748, a customer of Turkish commercial surveillance vendor PARS Defense, and a suspected Russian espionage group tracked as UNC6353.
organisation CVE-2025-43529
The exploit chain relies on six vulnerabilities, three used as zero-days, to achieve full device compromise: CVE-2025-31277 – JavaScriptCore memory corruption ( CVSS: 8.8 ) CVE-2026-20700 – dyld PAC bypass ( CVSS: 8.6 ) (zero-day) CVE-2025-43529 – JavaScriptCore memory corruption ( CVSS: 8.8 ) (zero-day) CVE-2025-14174 – ANGLE memory corruption ( CVSS: 8.8 ) (zero-day) CVE-2025-43510 – iOS kernel memory issue ( CVSS: 8.6 ) CVE-2025-43520 – iOS kernel memory corruption ( CVSS: 8.6 ) Together, these flaws enable full-chain exploitation and complete control of targeted iOS devices.
The exploit chain relies on six vulnerabilities, three used as zero-days, to achieve full device compromise: CVE-2025-31277 – JavaScriptCore memory corruption ( CVSS: 8.8 ) CVE-2026-20700 – dyld PAC bypass ( CVSS: 8.6 )  (zero-day) CVE-2025-43529 – JavaScriptCore memory corruption ( CVSS: 8.8 )  (zero-day) CVE-2025-14174 – ANGLE memory corruption ( CVSS: 8.8 )  (zero-day) CVE-2025-43510 – iOS kernel memory issue ( CVSS: 8.6 ) CVE-2025-43520 – iOS kernel memory corruption ( CVSS: 8.6 ) Together, these flaws enable full-chain exploitation and complete control of targeted iOS devices.
organisation CVE-2025-43510
The exploit chain relies on six vulnerabilities, three used as zero-days, to achieve full device compromise: CVE-2025-31277 – JavaScriptCore memory corruption ( CVSS: 8.8 ) CVE-2026-20700 – dyld PAC bypass ( CVSS: 8.6 ) (zero-day) CVE-2025-43529 – JavaScriptCore memory corruption ( CVSS: 8.8 ) (zero-day) CVE-2025-14174 – ANGLE memory corruption ( CVSS: 8.8 ) (zero-day) CVE-2025-43510 – iOS kernel memory issue ( CVSS: 8.6 ) CVE-2025-43520 – iOS kernel memory corruption ( CVSS: 8.6 ) Together, these flaws enable full-chain exploitation and complete control of targeted iOS devices.
The exploit chain relies on six vulnerabilities, three used as zero-days, to achieve full device compromise: CVE-2025-31277 – JavaScriptCore memory corruption ( CVSS: 8.8 ) CVE-2026-20700 – dyld PAC bypass ( CVSS: 8.6 )  (zero-day) CVE-2025-43529 – JavaScriptCore memory corruption ( CVSS: 8.8 )  (zero-day) CVE-2025-14174 – ANGLE memory corruption ( CVSS: 8.8 )  (zero-day) CVE-2025-43510 – iOS kernel memory issue ( CVSS: 8.6 ) CVE-2025-43520 – iOS kernel memory corruption ( CVSS: 8.6 ) Together, these flaws enable full-chain exploitation and complete control of targeted iOS devices.
organisation CVE-2025-43520
The exploit chain relies on six vulnerabilities, three used as zero-days, to achieve full device compromise: CVE-2025-31277 – JavaScriptCore memory corruption ( CVSS: 8.8 ) CVE-2026-20700 – dyld PAC bypass ( CVSS: 8.6 ) (zero-day) CVE-2025-43529 – JavaScriptCore memory corruption ( CVSS: 8.8 ) (zero-day) CVE-2025-14174 – ANGLE memory corruption ( CVSS: 8.8 ) (zero-day) CVE-2025-43510 – iOS kernel memory issue ( CVSS: 8.6 ) CVE-2025-43520 – iOS kernel memory corruption ( CVSS: 8.6 ) Together, these flaws enable full-chain exploitation and complete control of targeted iOS devices.
The exploit chain relies on six vulnerabilities, three used as zero-days, to achieve full device compromise: CVE-2025-31277 – JavaScriptCore memory corruption ( CVSS: 8.8 ) CVE-2026-20700 – dyld PAC bypass ( CVSS: 8.6 )  (zero-day) CVE-2025-43529 – JavaScriptCore memory corruption ( CVSS: 8.8 )  (zero-day) CVE-2025-14174 – ANGLE memory corruption ( CVSS: 8.8 )  (zero-day) CVE-2025-43510 – iOS kernel memory issue ( CVSS: 8.6 ) CVE-2025-43520 – iOS kernel memory corruption ( CVSS: 8.6 ) Together, these flaws enable full-chain exploitation and complete control of targeted iOS devices.
organisation PAC
The exploit chain relies on six vulnerabilities, three used as zero-days, to achieve full device compromise: CVE-2025-31277 – JavaScriptCore memory corruption ( CVSS: 8.8 ) CVE-2026-20700 – dyld PAC bypass ( CVSS: 8.6 ) (zero-day) CVE-2025-43529 – JavaScriptCore memory corruption ( CVSS: 8.8 ) (zero-day) CVE-2025-14174 – ANGLE memory corruption ( CVSS: 8.8 ) (zero-day) CVE-2025-43510 – iOS kernel memory issue ( CVSS: 8.6 ) CVE-2025-43520 – iOS kernel memory corruption ( CVSS: 8.6 ) Together, these flaws enable full-chain exploitation and complete control of targeted iOS devices.
It avoids devices in  Lockdown Mode  or private browsing, derives resource URLs from a hard-coded cookie, and delivers WebKit RCE and PAC bypasses in clear form.
infrastructure 8.6 JavaScriptCore memory corruption
The exploit chain relies on six vulnerabilities, three used as zero-days, to achieve full device compromise: CVE-2025-31277 – JavaScriptCore memory corruption ( CVSS: 8.8 ) CVE-2026-20700 – dyld PAC bypass ( CVSS: 8.6 ) (zero-day) CVE-2025-43529 – JavaScriptCore memory corruption ( CVSS: 8.8 ) (zero-day) CVE-2025-14174 – ANGLE memory corruption ( CVSS: 8.8 ) (zero-day) CVE-2025-43510 – iOS kernel memory issue ( CVSS: 8.6 ) CVE-2025-43520 – iOS kernel memory corruption ( CVSS: 8.6 ) Together, these flaws enable full-chain exploitation and complete control of targeted iOS devices.
The exploit chain relies on six vulnerabilities, three used as zero-days, to achieve full device compromise: CVE-2025-31277 – JavaScriptCore memory corruption ( CVSS: 8.8 ) CVE-2026-20700 – dyld PAC bypass ( CVSS: 8.6 )  (zero-day) CVE-2025-43529 – JavaScriptCore memory corruption ( CVSS: 8.8 )  (zero-day) CVE-2025-14174 – ANGLE memory corruption ( CVSS: 8.8 )  (zero-day) CVE-2025-43510 – iOS kernel memory issue ( CVSS: 8.6 ) CVE-2025-43520 – iOS kernel memory corruption ( CVSS: 8.6 ) Together, these flaws enable full-chain exploitation and complete control of targeted iOS devices.
infrastructure 18.4
However, the script was looking for iOS devices with OS versions 18.4 or 18.6.2, which are iOS versions that are not susceptible to the exploit chains used in Coruna.
These flaws enable attackers to escape sandboxes, escalate privileges, and gain remote code execution on unpatched iPhones, but have all been patched by Apple in the latest iOS releases and now only affect iPhones running iOS 18.4 through 18.7.
infrastructure 18.6.2
However, the script was looking for iOS devices with OS versions 18.4 or 18.6.2, which are iOS versions that are not susceptible to the exploit chains used in Coruna.
infrastructure 13.0
In February, Google’s Threat Intelligence Group identified a powerful new iOS exploit kit called Coruna (also known as CryptoWaters) that targets Apple iPhones running iOS versions 13.0 through 17.2.1.
While highly capable against iPhones running iOS 13.0 through 17.2.1versions, Coruna is ineffective against the latest iOS release, according to Google.
infrastructure 17.2.1
In February, Google’s Threat Intelligence Group identified a powerful new iOS exploit kit called Coruna (also known as CryptoWaters) that targets Apple iPhones running iOS versions 13.0 through 17.2.1.
organisation Google
While highly capable against iPhones running iOS 13.0 through 17.2.1versions, Coruna is ineffective against the latest iOS release, according to Google.
infrastructure 17.2
While highly capable against iPhones running iOS 13.0 through 17.2.1versions, Coruna is ineffective against the latest iOS release, according to Google.
infrastructure 13.0 iPhones
While highly capable against iPhones running iOS 13.0 through 17.2.1versions, Coruna is ineffective against the latest iOS release, according to Google.
infrastructure 18.7
These flaws enable attackers to escape sandboxes, escalate privileges, and gain remote code execution on unpatched iPhones, but have all been patched by Apple in the latest iOS releases and now only affect iPhones running iOS 18.4 through 18.7.
infrastructure 18.4 iPhones
These flaws enable attackers to escape sandboxes, escalate privileges, and gain remote code execution on unpatched iPhones, but have all been patched by Apple in the latest iOS releases and now only affect iPhones running iOS 18.4 through 18.7.
organisation UNC6748
DarkSword was also linked by security researchers to multiple threat groups, including UNC6748, a customer of Turkish commercial surveillance vendor PARS Defense, and a suspected Russian espionage group tracked as UNC6353.
organisation SecurityAffairs
Follow me on Twitter:  @securityaffairs  and  Facebook  and  Mastodon Pierluigi Paganini ( SecurityAffairs  – hacking, DarkSword)
Follow me on Twitter:  @securityaffairs  and  Facebook  and  Mastodon Pierluigi Paganini ( SecurityAffairs  – hacking, exploit kits)
organisation WebContent
Codename CVE Type buffout CVE-2021-30952 WebContent R/W jacurutu CVE-2022-48503 WebContent R/W bluebird No CVE WebContent R/W terrorbird CVE-2023-43000 WebContent R/W cassowary CVE-2024-23222 WebContent R/W breezy No CVE WebContent PAC bypass breezy15 No CVE WebContent PAC bypass seedbell No CVE WebContent PAC bypass seedbell_16_6 No CVE WebContent PAC bypass seedbell_17 No CVE WebContent PAC bypass IronLoader CVE-2023-32409 WebContent sandbox escape NeuronLoader No CVE WebContent sandbox escape Neutron CVE-2020-27932 PE Dynamo CVE-2020-27950 PE (infoleak)
organisation CVE-2022
Codename CVE Type buffout CVE-2021-30952 WebContent R/W jacurutu CVE-2022-48503 WebContent R/W bluebird No CVE WebContent R/W terrorbird CVE-2023-43000 WebContent R/W cassowary CVE-2024-23222 WebContent R/W breezy No CVE WebContent PAC bypass breezy15 No CVE WebContent PAC bypass seedbell No CVE WebContent PAC bypass seedbell_16_6 No CVE WebContent PAC bypass seedbell_17 No CVE WebContent PAC bypass IronLoader CVE-2023-32409 WebContent sandbox escape NeuronLoader No CVE WebContent sandbox escape Neutron CVE-2020-27932 PE Dynamo CVE-2020-27950 PE (infoleak)
organisation CVE-2023-41974
Pendulum No CVE PE Photon CVE-2023-32434 PE Parallax CVE-2023-41974 PE Gruber No CVE PE Quark No CVE PPL Bypass Gallium CVE-2023-38606 PPL Bypass Carbone No CVE PPL Bypass Sparrow CVE-2024-23225 PPL Bypass Rocket CVE-2024-23296 PPL Bypass
organisation CVE-2023-38606
Pendulum No CVE PE Photon CVE-2023-32434 PE Parallax CVE-2023-41974 PE Gruber No CVE PE Quark No CVE PPL Bypass Gallium CVE-2023-38606 PPL Bypass Carbone No CVE PPL Bypass Sparrow CVE-2024-23225 PPL Bypass Rocket CVE-2024-23296 PPL Bypass
organisation PPL Bypass Carbone No
Pendulum No CVE PE Photon CVE-2023-32434 PE Parallax CVE-2023-41974 PE Gruber No CVE PE Quark No CVE PPL Bypass Gallium CVE-2023-38606 PPL Bypass Carbone No CVE PPL Bypass Sparrow CVE-2024-23225 PPL Bypass Rocket CVE-2024-23296 PPL Bypass
organisation PPL Bypass Rocket CVE-2024-23296
Pendulum No CVE PE Photon CVE-2023-32434 PE Parallax CVE-2023-41974 PE Gruber No CVE PE Quark No CVE PPL Bypass Gallium CVE-2023-38606 PPL Bypass Carbone No CVE PPL Bypass Sparrow CVE-2024-23225 PPL Bypass Rocket CVE-2024-23296 PPL Bypass
organisation GhostBlade
In these attacks, GTIG observed three separate information-theft malware families dropped on victims' devices: a very aggressive JavaScript infostealer named GhostBlade, the GhostKnife backdoor that can exfiltrate large swaths of data, and the GhostSaber JavaScript that executes code and also steals victims' data.
organisation GhostKnife
In these attacks, GTIG observed three separate information-theft malware families dropped on victims' devices: a very aggressive JavaScript infostealer named GhostBlade, the GhostKnife backdoor that can exfiltrate large swaths of data, and the GhostSaber JavaScript that executes code and also steals victims' data.
organisation PlasmaLoader
At the end of the chain, a stager called PlasmaLoader injects into a root daemon and deploys a financially focused payload.
organisation The Red Report 2026
The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight.
April 3
CISA added three of the six DarkSword vulnerabilities to its catalog, ordering Federal Civilian Executive Branch agencies to patch their devices by April 3.
vulnerability CVE-2025-31277
On Friday, CISA added three of the 6 DarkSword vulnerabilities (CVE-2025-31277, CVE-2025-43510, and CVE-2025-43520) to its catalog of actively exploited security flaws , ordering Federal Civilian Executive Branch (FCEB) agencies to secure their devices within two weeks by April 3, as mandated by Binding Operational Directive (BOD) 22-01.
attribution CVE-2025-43510
On Friday, CISA added three of the 6 DarkSword vulnerabilities (CVE-2025-31277, CVE-2025-43510, and CVE-2025-43520) to its catalog of actively exploited security flaws , ordering Federal Civilian Executive Branch (FCEB) agencies to secure their devices within two weeks by April 3, as mandated by Binding Operational Directive (BOD) 22-01.
attribution CVE-2025-43520
On Friday, CISA added three of the 6 DarkSword vulnerabilities (CVE-2025-31277, CVE-2025-43510, and CVE-2025-43520) to its catalog of actively exploited security flaws , ordering Federal Civilian Executive Branch (FCEB) agencies to secure their devices within two weeks by April 3, as mandated by Binding Operational Directive (BOD) 22-01.
attribution Federal Civilian Executive Branch
On Friday, CISA added three of the 6 DarkSword vulnerabilities (CVE-2025-31277, CVE-2025-43510, and CVE-2025-43520) to its catalog of actively exploited security flaws , ordering Federal Civilian Executive Branch (FCEB) agencies to secure their devices within two weeks by April 3, as mandated by Binding Operational Directive (BOD) 22-01.
attribution FCEB
On Friday, CISA added three of the 6 DarkSword vulnerabilities (CVE-2025-31277, CVE-2025-43510, and CVE-2025-43520) to its catalog of actively exploited security flaws , ordering Federal Civilian Executive Branch (FCEB) agencies to secure their devices within two weeks by April 3, as mandated by Binding Operational Directive (BOD) 22-01.
general_metric 6 DarkSword vulnerabilities
On Friday, CISA added three of the 6 DarkSword vulnerabilities (CVE-2025-31277, CVE-2025-43510, and CVE-2025-43520) to its catalog of actively exploited security flaws , ordering Federal Civilian Executive Branch (FCEB) agencies to secure their devices within two weeks by April 3, as mandated by Binding Operational Directive (BOD) 22-01.
Tactical Metrics
Metrics
infrastructure
​Ios
Affected Product
DarkSword emerges as powerful iOS exploit tool in global attacks DarkSword, a new iOS exploit kit, is used by multiple actors to steal data in campaigns targeting Saudi Arabia, Turkey, Malaysia, and Ukraine.
DarkSword targets iPhones running iOS 18.4–18.7 and has been used by the suspected Russian-linked group UNC6353 against Ukrainian targets.
DarkSword emerges as powerful iOS exploit tool in global attacks.
Lookout Threat Labs discovered a new iOS exploit kit called DarkSword that has been used since late 2025 by multiple threat actors, including surveillance vendors and likely nation-state actors.
The exploit chain relies on six vulnerabilities, three used as zero-days, to achieve full device compromise: CVE-2025-31277 – JavaScriptCore memory corruption ( CVSS: 8.8 ) CVE-2026-20700 – dyld PAC bypass ( CVSS: 8.6 ) (zero-day) CVE-2025-43529 – JavaScriptCore memory corruption ( CVSS: 8.8 ) (zero-day) CVE-2025-14174 – ANGLE memory corruption ( CVSS: 8.8 ) (zero-day) CVE-2025-43510 – iOS kernel memory issue ( CVSS: 8.6 ) CVE-2025-43520 – iOS kernel memory corruption ( CVSS: 8.6 ) Together, these flaws enable full-chain exploitation and complete control of targeted iOS devices.
Malicious iframes loaded scripts to fingerprint devices and target specific iOS versions.
While it initially appeared that this may be another site distributing Coruna, upon closer inspection of the our researchers found that the iframe loads a javascript file called rce_loader.js, which is largely responsible for fingerprinting devices visiting the compromised site in order to determine whether to route the devices to the iOS exploit chain.
However, the script was looking for iOS devices with OS versions 18.4 or 18.6.2, which are iOS versions that are not susceptible to the exploit chains used in Coruna.
An excerpt from rce_loader.js showing that devices with specific iOS versions are routed to different scripts for exploitation based on the version.
According to Lookout, the actor behind the exploit, UNC6353, remains a largely unknown group but has used advanced iOS exploit chains in watering hole attacks on Ukrainian websites.
DarkSword shows a troubling trend: advanced iOS exploit chains are being sold on a secondary market, letting even less skilled actors launch powerful attacks.
“The discovery of DarkSword as the second iOS exploit chain found in the hands of this at least partially financially motivated threat actor reveals a worrying trend.” concludes the report.
DarkSword targets iPhones running iOS 18.4–18.7 and has been used by the suspected Russian-linked group  UNC6353  against Ukrainian targets.
Apple urges iPhone users to update as Coruna and DarkSword exploit kits emerge Apple warns that outdated iPhones are vulnerable to Coruna and DarkSword exploit kits and urges users to update iOS.
Apple has warned that iPhones running outdated iOS versions are at risk from exploit kits like Coruna and DarkSword .
“Security researchers recently identified web-based attacks that target out-of-date versions of iOS through malicious web content.
For example, if you’re using an older version of iOS and were to click a malicious link or visit a compromised website, the data on your iPhone might be at risk of being stolen.” reads Apple’s advisory .
Devices running the latest iOS versions are not vulnerable, and Lockdown Mode also blocks these attacks, even on older systems, though updates are still strongly recommended.
If your iPhone runs an older iOS version, take action: Devices on iOS 15 to iOS 26 are already protected if fully updated Apple released updates on March 11, 2026, to extend protection to iOS 15 and 16 devices Devices on iOS 13 or 14 must upgrade to iOS 15 and install a Critical Security Update Safari’s Safe Browsing feature helps block known malicious domains by default Updating ensures user data remains secure.
In February, Google’s Threat Intelligence Group identified a powerful new iOS exploit kit called Coruna (also known as CryptoWaters) that targets Apple iPhones running iOS versions 13.0 through 17.2.1.
While highly capable against iPhones running iOS 13.0 through 17.2.1versions, Coruna is ineffective against the latest iOS release, according to Google.
Initial discovery occurred in February 2025 when GTIG captured a previously unseen JavaScript framework delivering an iOS exploit chain from a surveillance vendor’s customer.
“In February 2025, we captured parts of an iOS exploit chain used by a customer of a surveillance company.”  reads the report published by GTIG .
“The core technical value of this exploit kit lies in its comprehensive collection of iOS exploits, with the most advanced ones using non-public exploitation techniques and mitigation bypasses.”
The framework uses fingerprinting to detect device type and iOS version, then loads the appropriate WebKit RCE exploit and pointer authentication bypass.
One recovered exploit,  CVE-2024-23222 , was later patched in iOS 17.3.
After exploitation, a binary loader deploys encrypted, compressed payloads disguised as .min.js files, tailored to specific chips and iOS versions.
In total, the kit includes 23 exploits covering iOS 13 through 17.2.1, with advanced mitigation bypasses and reusable modules for defeating memory and kernel protections.
Recently, Lookout Threat Labs discovered a new iOS exploit kit called DarkSword that has been used since late 2025 by multiple threat actors, including  surveillance vendors  and likely nation-state actors.
The exploit chain relies on six vulnerabilities, three used as zero-days, to achieve full device compromise: CVE-2025-31277 – JavaScriptCore memory corruption ( CVSS: 8.8 ) CVE-2026-20700 – dyld PAC bypass ( CVSS: 8.6 )  (zero-day) CVE-2025-43529 – JavaScriptCore memory corruption ( CVSS: 8.8 )  (zero-day) CVE-2025-14174 – ANGLE memory corruption ( CVSS: 8.8 )  (zero-day) CVE-2025-43510 – iOS kernel memory issue ( CVSS: 8.6 ) CVE-2025-43520 – iOS kernel memory corruption ( CVSS: 8.6 ) Together, these flaws enable full-chain exploitation and complete control of targeted iOS devices.
CISA ordered U.S. government agencies to patch three iOS vulnerabilities targeted in cryptocurrency theft and cyberespionage attacks using the DarkSword exploit kit.
CISA orders feds to patch DarkSword iOS flaws exploited attacks.
These flaws enable attackers to escape sandboxes, escalate privileges, and gain remote code execution on unpatched iPhones, but have all been patched by Apple in the latest iOS releases and now only affect iPhones running iOS 18.4 through 18.7.
Of the three, UNC6353 deployed both the DarkSword and Coruna iOS exploit kits in watering-hole attacks targeting iPhone users visiting compromised Ukrainian websites of e-commerce, industrial equipment, and local services organizations.
Metrics
infrastructure
9
Javascriptcore Memory Corruption
The exploit chain relies on six vulnerabilities, three used as zero-days, to achieve full device compromise: CVE-2025-31277 – JavaScriptCore memory corruption ( CVSS: 8.8 ) CVE-2026-20700 – dyld PAC bypass ( CVSS: 8.6 ) (zero-day) CVE-2025-43529 – JavaScriptCore memory corruption ( CVSS: 8.8 ) (zero-day) CVE-2025-14174 – ANGLE memory corruption ( CVSS: 8.8 ) (zero-day) CVE-2025-43510 – iOS kernel memory issue ( CVSS: 8.6 ) CVE-2025-43520 – iOS kernel memory corruption ( CVSS: 8.6 ) Together, these flaws enable full-chain exploitation and complete control of targeted iOS devices.
The exploit chain relies on six vulnerabilities, three used as zero-days, to achieve full device compromise: CVE-2025-31277 – JavaScriptCore memory corruption ( CVSS: 8.8 ) CVE-2026-20700 – dyld PAC bypass ( CVSS: 8.6 )  (zero-day) CVE-2025-43529 – JavaScriptCore memory corruption ( CVSS: 8.8 )  (zero-day) CVE-2025-14174 – ANGLE memory corruption ( CVSS: 8.8 )  (zero-day) CVE-2025-43510 – iOS kernel memory issue ( CVSS: 8.6 ) CVE-2025-43520 – iOS kernel memory corruption ( CVSS: 8.6 ) Together, these flaws enable full-chain exploitation and complete control of targeted iOS devices.
Metrics
infrastructure
​18.4
Software Version
However, the script was looking for iOS devices with OS versions 18.4 or 18.6.2, which are iOS versions that are not susceptible to the exploit chains used in Coruna.
These flaws enable attackers to escape sandboxes, escalate privileges, and gain remote code execution on unpatched iPhones, but have all been patched by Apple in the latest iOS releases and now only affect iPhones running iOS 18.4 through 18.7.
Metrics
infrastructure
​18.6.2
Software Version
However, the script was looking for iOS devices with OS versions 18.4 or 18.6.2, which are iOS versions that are not susceptible to the exploit chains used in Coruna.
Metrics
infrastructure
15
Devices Devices
If your iPhone runs an older iOS version, take action: Devices on iOS 15 to iOS 26 are already protected if fully updated Apple released updates on March 11, 2026, to extend protection to iOS 15 and 16 devices Devices on iOS 13 or 14 must upgrade to iOS 15 and install a Critical Security Update Safari’s Safe Browsing feature helps block known malicious domains by default Updating ensures user data remains secure.
Metrics
infrastructure
​13.0
Software Version
In February, Google’s Threat Intelligence Group identified a powerful new iOS exploit kit called Coruna (also known as CryptoWaters) that targets Apple iPhones running iOS versions 13.0 through 17.2.1.
While highly capable against iPhones running iOS 13.0 through 17.2.1versions, Coruna is ineffective against the latest iOS release, according to Google.
Metrics
infrastructure
​17.2.1
Software Version
In February, Google’s Threat Intelligence Group identified a powerful new iOS exploit kit called Coruna (also known as CryptoWaters) that targets Apple iPhones running iOS versions 13.0 through 17.2.1.
Metrics
infrastructure
​17.2
Software Version
While highly capable against iPhones running iOS 13.0 through 17.2.1versions, Coruna is ineffective against the latest iOS release, according to Google.
Metrics
infrastructure
13
Iphones
While highly capable against iPhones running iOS 13.0 through 17.2.1versions, Coruna is ineffective against the latest iOS release, according to Google.
Metrics
infrastructure
​18.7
Software Version
These flaws enable attackers to escape sandboxes, escalate privileges, and gain remote code execution on unpatched iPhones, but have all been patched by Apple in the latest iOS releases and now only affect iPhones running iOS 18.4 through 18.7.
Metrics
infrastructure
18
Iphones
These flaws enable attackers to escape sandboxes, escalate privileges, and gain remote code execution on unpatched iPhones, but have all been patched by Apple in the latest iOS releases and now only affect iPhones running iOS 18.4 through 18.7.
Intelligence Sources
Security Affairs 2026-03-19
Security Affairs 2026-03-20
BleepingComputer 2026-03-23