CISA orders feds to patch DarkSword iOS flaws exploited attacks

News

Featured
Latest

Trivy vulnerability scanner breach pushed infostealer via GitHub Actions

Microsoft Azure Monitor alerts abused for callback phishing attacks

Musician admits to $10M streaming royalty fraud using AI bots

FBI links Signal phishing attacks to Russian intelligence services

Varonis Atlas: Securing AI and the Data That Powers It

Microsoft Exchange Online service change causes email access issues

Block ads and trackers on 9 devices for only $16 in this deal

FBI warns of Handala hackers using Telegram in malware attacks

Tutorials

Latest
Popular

How to access the Dark Web using the Tor Browser

How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11

How to use the Windows Registry Editor

How to backup and restore the Windows Registry

How to start Windows in Safe Mode

How to remove a Trojan, Virus, Worm, or other Malware

How to show hidden files in Windows 7

How to see hidden files in Windows

Webinars
Downloads

Latest
Most Downloaded

Qualys BrowserCheck

STOPDecrypter

AuroraDecrypter

FilesLockerDecrypter

AdwCleaner

ComboFix

RKill

Junkware Removal Tool

Deals

Categories

eLearning

IT Certification Courses

Gear + Gadgets

Security

VPNs

Popular

Best VPNs

How to change IP address

Access the dark web safely

Best VPN for YouTube

Forums
More

Virus Removal Guides
Startup Database
Uninstall Database
Glossary
Send us a Tip!
Welcome Guide

HomeNewsSecurityCISA orders feds to patch DarkSword iOS flaws exploited attacks

CISA orders feds to patch DarkSword iOS flaws exploited attacks

By Sergiu Gatlan

March 23, 2026
04:37 AM
0

CISA ordered U.S. government agencies to patch three iOS vulnerabilities targeted in cryptocurrency theft and cyberespionage attacks using the DarkSword exploit kit.
As Google Threat Intelligence Group (GTIG) and iVerify researchers revealed last week, the DarkSword delivery framework abuses a chain of six vulnerabilities tracked as CVE-2025-31277, CVE-2025-43529, CVE-2026-20700, CVE-2025-14174, CVE-2025-43510, and CVE-2025-43520.
These flaws enable attackers to escape sandboxes, escalate privileges, and gain remote code execution on unpatched iPhones, but have all been patched by Apple in the latest iOS releases and now only affect iPhones running iOS 18.4 through 18.7.
DarkSword was also linked by security researchers to multiple threat groups, including UNC6748, a customer of Turkish commercial surveillance vendor PARS Defense, and a suspected Russian espionage group tracked as UNC6353.
In these attacks, GTIG observed three separate information-theft malware families dropped on victims' devices: a very aggressive JavaScript infostealer named GhostBlade, the GhostKnife backdoor that can exfiltrate large swaths of data, and the GhostSaber JavaScript that executes code and also steals victims' data.
Of the three, UNC6353 deployed both the DarkSword and Coruna iOS exploit kits in watering-hole attacks targeting iPhone users visiting compromised Ukrainian websites of e-commerce, industrial equipment, and local services organizations.

Threat groups using the DarkSword exploit kit (GTIG)
​Notably, DarkSword wipes temporary files and exits after stealing data from infected devices, indicating that it was designed for short-term surveillance operations designed to evade detection.
Mobile security company Lookout, which discovered DarkSword while investigating infrastructure used in the Coruna attacks, believes that DarkSword is used in cyber-espionage campaigns aligned with Russian intelligence requirements and by a Russian threat actor with financial objectives.
On Friday, CISA added three of the 6 DarkSword vulnerabilities (CVE-2025-31277, CVE-2025-43510, and CVE-2025-43520) to its catalog of actively exploited security flaws, ordering Federal Civilian Executive Branch (FCEB) agencies to secure their devices within two weeks by April 3, as mandated by Binding Operational Directive (BOD) 22-01.
"Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable," CISA warned.
"These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise."
Although BOD 22-01 applies only to federal agencies, CISA urged all defenders, including those working for private sector companies, to prioritize securing their organizations' devices against these flaws as soon as possible.

Red Report 2026: Why Ransomware Encryption Dropped 38%
Malware is getting smarter. The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight.Download our analysis of 1.1 million malicious samples to uncover the top 10 techniques and see if your security stack is blinded.
Download The Report

Related Articles:
New DarkSword iOS exploit used in infostealer attack on iPhonesApple patches older iPhones and iPads against Coruna exploitsCISA warns feds to patch iOS flaws exploited in crypto-theft attacksSpyware-grade Coruna iOS exploit kit now used in crypto theft attacksNew Apple privacy feature limits location tracking on iPhones, iPads

Apple
CISA
Crypto theft
Cyber-espionage
Darksword
Exploit Chain
iOS
iPhone
USA
Warning

Sergiu Gatlan
Sergiu is a news reporter who has covered the latest cybersecurity and technology developments for over a decade. Email or Twitter DMs for tips.

Previous Article
Next Article

Post a Comment Community Rules

You need to login in order to post a comment

Not a member yet? Register Now

You may also like:

Popular Stories

Microsoft: March Windows updates break Teams, OneDrive sign-ins

CISA orders feds to patch max-severity Cisco flaw by Sunday

Microsoft Azure Monitor alerts abused for callback phishing attacks

Sponsor Posts

Cyber resilience without the complexity. Join Zero Networks to stop lateral movement fast.

AI is a data-breach time bomb: Read the new report

Secure your AI agents without sacrificing speed.

Overdue a password health-check? Audit your Active Directory for free

Are refund fraud methods targeting your brand? You can monitor the underground for these threats.

Follow us:

Main Sections

News
Webinars
VPN Buyer Guides
SysAdmin Software Guides
Downloads
Virus Removal Guides
Tutorials
Startup Database
Uninstall Database
Glossary

Community

Forums
Forum Rules
Chat

Useful Resources

Welcome Guide
Sitemap

Company

About BleepingComputer
Contact Us
Send us a Tip!
Advertising
Write for BleepingComputer
Social & Feeds
Changelog

Terms of Use - Privacy Policy - Ethics Statement - Affiliate Disclosure

Copyright @ 2003 - 2026 Bleeping Computer® LLC - All Rights Reserved

Login

Username

Password

Remember Me

Sign in anonymously

Sign in with Twitter

Not a member yet? Register Now

Reporter

Help us understand the problem. What is going on with this comment?

Spam

Abusive or Harmful

Inappropriate content

Strong language

Other

Read our posting guidelinese to learn what content is prohibited.

Submitting...
SUBMIT

CISA issued a directive compelling U.S. government agencies to address three specific iOS vulnerabilities, exploited within ongoing cryptocurrency theft and cyberespionage campaigns, utilizing the DarkSword exploit kit. The vulnerabilities, identified as CVE-2025-31277, CVE-2025-43529, CVE-2026-20700, CVE-2025-14174, CVE-2025-43510 and CVE-2025-43520, were initially disclosed by Google Threat Intelligence Group (GTIG) and iVerify researchers following their investigation into the DarkSword framework. These flaws enabled attackers to bypass iOS sandboxing, escalate privileges, and execute remote code on affected iPhones. Crucially, Apple had already issued patches for these vulnerabilities within iOS 18.4 through 18.7, meaning their relevance primarily stems from their exploitation in active attacks.

The DarkSword exploit kit has been linked to multiple threat actors, most notably UNC6748, a client of the PARS Defense surveillance vendor, and a suspected Russian espionage group designated as UNC6353. GTIG observed the deployment of DarkSword alongside Coruna and GhostBlade frameworks in targeted attacks. Specifically, UNC6353 leveraged DarkSword and Coruna in watering hole attacks against Ukrainian websites related to e-commerce, industrial equipment, and local services, demonstrating a pattern of sophisticated espionage.

The design of DarkSword highlights the sophisticated nature of these attacks. The exploit kit is characterized by its immediate file wiping and subsequent exit upon data exfiltration, suggesting a deliberate operational strategy aimed at minimizing its operational footprint and evading detection. Lookout, the cybersecurity firm that initially identified DarkSword, attributes its usage to cyber-espionage campaigns aligned with Russian intelligence objectives and potentially driven by a Russian threat actor’s financial motivations.

In response to these ongoing threats, CISA has formally added the designated DarkSword vulnerabilities to its list of actively exploited security flaws, triggering Binding Operational Directive (BOD) 22-01. This directive mandates that Federal Civilian Executive Branch (FCEB) agencies must remediate these vulnerabilities within a two-week timeframe, by April 3rd, 2026. The directive outlines several remediation pathways, including implementing vendor-supplied mitigations, adhering to BOD 22-01 guidance for cloud services, or discontinuing the use of affected products if suitable mitigations are unavailable.

CISA's warning underscores the significant risk posed by these pervasive vulnerabilities to the federal enterprise. While the directive primarily applies to federal agencies, the agency has extended its recommendations to all defenders, including private sector organizations, urging them to prioritize the securing of their environments against these threats. The immediate threat stems from the ongoing exploitation of these vulnerabilities by established intelligence actors and underscores the importance of proactive security measures.