Following its recent disclosure of the Coruna exploit chain targeting older iOS versions, the company has now revealed a similar attack believed to be called DarkSword. Here are the details.
A few more reasons to keep your devices up to date
A few weeks ago, Google and iVerify published two reports with complementary details on the Coruna exploit, which chained multiple iOS vulnerabilities to compromise iPhones running outdated system versions.
Following the release of the reports, Apple released iOS 16.7.15, iOS 15.8.7, iPadOS 16.7.15, and iPadOS 15.8.7, addressing kernel and WebKit vulnerabilities leveraged by Coruna.
Interestingly, earlier today, Apple published a new support document titled Update iOS to protect your iPhone from web attacks, in which it says that “security researchers recently identified web-based attacks that target out-of-date versions of iOS through malicious web content,” and goes on to explain the following:
If you have kept your iPhone software up to date, then you are already protected. (…) If your iPhone has an older version of iOS, update to protect your data:
- Devices with the latest, updated versions of iOS 15 through iOS 26 are already protected. If you have not updated your software recently, update iOS on your iPhone.
- We released a software update for iOS 15 and iOS 16 on March 11, 2026, to extend protection to older devices that cannot update to the latest version of iOS.
- Devices with iOS 13 or iOS 14 must update to iOS 15 to receive these protections and will receive an additional alert to install a Critical Security Update in the next few days.
- Apple Safe Browsing in Safari is on by default and blocks the malicious URL domains identified in these attacks.
Note: Users who are unable to update their device can consider enabling Lockdown Mode (if available) to protect against malicious web content and other threats.
As it turns out, the new Security post might be referring not just to Coruna but also to another exploit chain, which the Google Threat Intelligence Group (GTIG) believes is called DarkSword.
According to the GTIG, there are “multiple commercial surveillance vendors and suspected state-sponsored actors utilizing DarkSword in distinct campaigns,” and they add that “these threat actors have deployed the exploit chain against targets in Saudi Arabia, Turkey, Malaysia, and Ukraine.”
In a nutshell, DarkSword works similarly to Coruna. It chains multiple vulnerabilities to achieve a full kernel-level compromise.
Also like Coruna, DarkSword is delivered through compromised or decoy websites, then chains multiple stages before deploying payloads such as GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER.
According to GTIG, the CVEs associated with DarkSword include:
- CVE-2025-31277 (patched in iOS 18.6)
- CVE-2026-20700 (patched in iOS 26.3)
- CVE-2025-43529 (patched in iOS 18.7.3 and iOS 26.2)
- CVE-2025-14174 (patched in iOS 18.7.3 and iOS 26.2)
- CVE-2025-43510 (patched in iOS 18.7.2 and iOS 26.1)
- CVE-2025-43520 (patched in iOS 18.7.2 and iOS 26.1)
To dive into the technical details, check out GTIG’s report, which was published in coordination with Lookout and iVerify, both of which also shared their own findings.
Oh, yes, and make sure that your devices are running the latest iOS version.
Worth checking out on Amazon
FTC: We use income earning auto affiliate links. More.
