Following the recent disclosure of the Coruna exploit chain targeting older iOS versions, the company has now discovered a similar attack, believed to be called DarkSword. Here are the details.
Just a few more reasons to keep your devices up to date
A few weeks ago, Google and iVerify has been published Two reports with complementary details on a Coruna exploit that chains multiple iOS vulnerabilities to compromise iPhones running outdated system versions.
After the reports were released, Apple was released iOS 16.7.15, iOS 15.8.7, iPadOS 16.7.15, and iPadOS 15.8.7 address kernel and WebKit vulnerabilities used by Coruna.
It is interesting that today early Apple has been published A new support document called Update your iOS to protect your iPhone from web attacksit says that “security researchers have recently identified web-based attacks targeting older versions of iOS via malicious web content” and goes on to explain:
If you’ve kept your iPhone software up to date, you’re already protected. (…) If your iPhone has an older version of iOS, update to protect your data:
- Devices with the latest, updated versions from iOS 15 to iOS 26 are now protected. If you haven’t updated your software recently, Update iOS on your iPhone.
- We left A Software update for iOS 15 and iOS 16 To extend protection for older devices that cannot be updated to the latest version of iOS on March 11, 2026.
- Devices with iOS 13 or iOS 14 must update to iOS 15 to receive these protections and will receive an additional warning to install the Critical Security Update in the next few days.
- In Safari, Apple Safe Browsing is enabled by default and blocks malicious URL domains identified in these attacks.
Note: Users who are unable to update their device may consider running it Lock mode (if applicable) to protect against malicious web content and other threats.
Apparently, the new Security post may refer not only to Koruna, but also to another exploit chain, which the Google Threat Intelligence Group (GTIG) believes is called DarkSword.
According to GTIG, “many commercial surveillance vendors and state-sponsored questionable actors are using DarkSword in different campaigns,” adding that “these threat actors have deployed exploit chains against targets in Saudi Arabia, Turkey, Malaysia, and Ukraine.”
In short, DarkSword works the same way as Coruna. Chains multiple vulnerabilities to achieve full kernel-level compromise.
Like Coruna, DarkSword is delivered via compromised or rogue websites, then chained in several stages before deploying payloads such as GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER.
According to GTIG, DarkSword-related CVEs include:
- CVE-2025-31277 (patched in iOS 18.6)
- CVE-2026-20700 (patched in iOS 26.3)
- CVE-2025-43529 (patched in iOS 18.7.3 and iOS 26.2)
- CVE-2025-14174 (patched in iOS 18.7.3 and iOS 26.2)
- CVE-2025-43510 (patched in iOS 18.7.2 and iOS 26.1)
- CVE-2025-43520 (patched in iOS 18.7.2 and iOS 26.1)
Check it out to dive into the technical details GTIG reportpublished in agreement with Watchman and iVerifyboth shared their findings.
Oh yeah, and make sure your devices are running the latest iOS version.
It’s worth checking out on Amazon
FTC: We use automatic affiliate links that generate income. More.
