CISA ordered U.S. government agencies to patch three iOS vulnerabilities targeted in cryptocurrency theft and cyberespionage attacks using the DarkSword exploit kit.
As Google Threat Intelligence Group (GTIG) and iVerify researchers revealed last week, the DarkSword delivery framework abuses a chain of six vulnerabilities tracked as CVE-2025-31277, CVE-2025-43529, CVE-2026-20700, CVE-2025-14174, CVE-2025-43510, and CVE-2025-43520.
These flaws enable attackers to escape sandboxes, escalate privileges, and gain remote code execution on unpatched iPhones, but have all been patched by Apple in the latest iOS releases and now only affect iPhones running iOS 18.4 through 18.7.
DarkSword was also linked by security researchers to multiple threat groups, including UNC6748, a customer of Turkish commercial surveillance vendor PARS Defense, and a suspected Russian espionage group tracked as UNC6353.
In these attacks, GTIG observed three separate information-theft malware families dropped on victims’ devices: a very aggressive JavaScript infostealer named GhostBlade, the GhostKnife backdoor that can exfiltrate large swaths of data, and the GhostSaber JavaScript that executes code and also steals victims’ data.
Of the three, UNC6353 deployed both the DarkSword and Coruna iOS exploit kits in watering-hole attacks targeting iPhone users visiting compromised Ukrainian websites of e-commerce, industrial equipment, and local services organizations.
Notably, DarkSword wipes temporary files and exits after stealing data from infected devices, indicating that it was designed for short-term surveillance operations designed to evade detection.
Mobile security company Lookout, which discovered DarkSword while investigating infrastructure used in the Coruna attacks, believes that DarkSword is used in cyber-espionage campaigns aligned with Russian intelligence requirements and by a Russian threat actor with financial objectives.
On Friday, CISA added three of the 6 DarkSword vulnerabilities (CVE-2025-31277, CVE-2025-43510, and CVE-2025-43520) to its catalog of actively exploited security flaws, ordering Federal Civilian Executive Branch (FCEB) agencies to secure their devices within two weeks by April 3, as mandated by Binding Operational Directive (BOD) 22-01.
“Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable,” CISA warned.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.”
Although BOD 22-01 applies only to federal agencies, CISA urged all defenders, including those working for private sector companies, to prioritize securing their organizations’ devices against these flaws as soon as possible.
Red Report 2026: Why Ransomware Encryption Dropped 38%
Malware is getting smarter. The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight.
Download our analysis of 1.1 million malicious samples to uncover the top 10 techniques and see if your security stack is blinded.
Related Articles:
New DarkSword iOS exploit used in infostealer attack on iPhones
Apple patches older iPhones and iPads against Coruna exploits
CISA warns feds to patch iOS flaws exploited in crypto-theft attacks
Spyware-grade Coruna iOS exploit kit now used in crypto theft attacks
New Apple privacy feature limits location tracking on iPhones, iPads