Following the recent revelation of the Coruna exploit chain targeting older iOS versions, the company has revealed a similar attack believed to be called DarkSword. Here are the details:
Other reasons to keep your device up to date
A few weeks ago, Google and iVerify published two reports with additional details about a Coruna exploit that chains multiple iOS vulnerabilities and compromises iPhones running older system versions.
After publication of the report, Apple released iOS 16.7.15, iOS 15.8.7, iPadOS 16.7.15, and iPadOS 15.8.7 to address the kernel and WebKit vulnerabilities exploited by Coruna.
Interestingly, earlier today Apple published a new support document titled “Updating iOS to protect iPhone from web attacks.” It states, “Security researchers recently identified a web-based attack that targets older versions of iOS via malicious web content,” and goes on to explain:
If you keep your iPhone software up to date, you’re already protected. (…) If your iPhone is running an older version of iOS, update it to protect your data.
- Devices with the latest updated versions of iOS 15 to iOS 26 are already protected. Update iOS on your iPhone if you haven’t updated your software recently.
- To extend protection to older devices that cannot be updated to the latest version of iOS, we released a software update for iOS 15 and iOS 16 on March 11, 2026.
- Devices running iOS 13 or iOS 14 must update to iOS 15 to receive these protections and will receive additional alerts to install important security updates in the coming days.
- Apple Safe Browsing in Safari is turned on by default and blocks malicious URL domains identified in these attacks.
Note: Users who are unable to update their devices may consider enabling lockdown mode (if available) to protect against malicious web content and other threats.
As it turns out, the new security post may not only refer to Coruna, but also another exploit chain that the Google Threat Intelligence Group (GTIG) calls DarkSword.
According to GTIG, there are “multiple commercial surveillance vendors and suspected state-sponsored actors leveraging DarkSword in various campaigns,” adding that “these actors have deployed exploit chains against targets in Saudi Arabia, Turkey, Malaysia, and Ukraine.”
In short, DarkSword works similarly to Coruna. Chain multiple vulnerabilities together to achieve a complete kernel-level compromise.
Also similar to Coruna, DarkSword is delivered through compromised or decoy websites and chains multiple stages before deploying payloads such as GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER.
According to GTIG, CVEs related to DarkSword include:
- CVE-2025-31277 (patched on iOS 18.6)
- CVE-2026-20700 (patched on iOS 26.3)
- CVE-2025-43529 (patched on iOS 18.7.3 and iOS 26.2)
- CVE-2025-14174 (patched on iOS 18.7.3 and iOS 26.2)
- CVE-2025-43510 (patched on iOS 18.7.2 and iOS 26.1)
- CVE-2025-43520 (patched on iOS 18.7.2 and iOS 26.1)
For technical details, check out GTIG’s report, published in partnership with Lookout and iVerify. Both reports also share their own findings.
Oh, and make sure your device is running the latest iOS version.
Worth checking out on Amazon
