Full Report
Apple has now made it possible for more iPhones still running iOS 18 to receive security updates that protect against the actively exploited DarkSword exploit kit. [...]
Analysis Summary
# Vulnerability: DarkSword Exploit Kit (Multiple CVEs)
## CVE Details
The DarkSword exploit kit utilizes a chain of six specific vulnerabilities:
- **CVE-2025-31277**
- **CVE-2025-43529**
- **CVE-2026-20700**
- **CVE-2025-14174**
- **CVE-2025-43510**
- **CVE-2025-43520**
- **CVSS Score:** Not explicitly listed in the text, but categorized as "critical" due to active exploitation for remote code execution and data theft.
- **CWE:** Not specified (Technically involves remote web-based attacks and arbitrary code execution).
## Affected Systems
- **Products:** iPhone and iPad
- **Versions:** Devices running iOS 18.4 through 18.7.
- **Configurations:** Devices that remained on the iOS 18 branch rather than upgrading to iOS 19/iOS 20, specifically those where Apple had previously restricted updates to older hardware (e.g., iPhone XS/XR).
## Vulnerability Description
DarkSword is a sophisticated exploit kit used to deliver information-stealing malware via web-based attacks. The flaw allows attackers to bypass security boundaries on iOS 18 devices to deploy three primary malware families:
1. **GhostBlade:** A JavaScript-based information stealer.
2. **GhostKnife:** A persistent backdoor.
3. **GhostSaber:** JavaScript malware capable of remote code execution and data exfiltration.
## Exploitation
- **Status:** **Exploited in the wild.** Use has been attributed to Turkish surveillance vendor PARS Defense, UNC6748, and suspected Russian espionage group UNC6353.
- **PoC Availability:** **Available.** The exploit kit was publicly leaked on GitHub in March 2026.
- **Complexity:** Low (since the leak) to Medium.
- **Attack Vector:** Network (Web-based/Remote).
## Impact
- **Confidentiality:** **High** (Theft of sensitive user data via infostealers).
- **Integrity:** **High** (Ability to execute code and deploy backdoors).
- **Availability:** **Medium** (Potential for device compromise or system instability).
## Remediation
### Patches
- **iOS 18.7.7:** Released April 1, 2026. This update expands availability to a wide range of devices that previously stopped receiving updates, including:
- iPhone 11 through iPhone 16 (all models)
- iPhone SE (2nd and 3rd Generation)
- Various iPad models (Air, Pro, and Mini)
- **iOS 18.6+:** Initial fixes were introduced in July 2025; however, users should update to the latest (18.7.7) to ensure all six CVEs are covered.
### Workarounds
- **Upgrade OS:** Transitioning to the latest supported major OS version (e.g., iOS 26/current) which contains architectural hardening against these flaws.
- **Browser Caution:** Avoid clicking suspicious links or visiting untrusted websites which serve as the delivery mechanism for the exploit kit.
## Detection
- **Indicators of Compromise:** Presence of GhostBlade, GhostKnife, or GhostSaber processes; unusual outbound network traffic to known PARS Defense or UNC infrastructure.
- **Detection Methods:** Mobile Security Frameworks (Mems) such as Lookout or iVerify; monitoring for unauthorized JavaScript execution patterns within mobile browsers.
## References
- **Apple Security Update:** hxxps[://]support[.]apple[.]com/kb/HT201222 (General)
- **Researcher Report:** hxxps[://]www[.]bleepingcomputer[.]com/news/security/new-darksword-ios-exploit-used-in-infostealer-attack-on-iphones/
- **Leak Source:** hxxps[://]techcrunch[.]com/2026/03/23/someone-has-publicly-leaked-an-exploit-kit-that-can-hack-millions-of-iphones/