Following its recent announcement regarding the Coruna exploit chain that targets older iOS versions, the company has now disclosed a comparable attack thought to be named DarkSword. Here are the specifics.
## A Few More Reasons to Keep Your Devices Updated
Several weeks ago, Google and iVerify released two reports that provided complementary insights on the Coruna exploit, which exploited multiple iOS vulnerabilities to compromise iPhones operating on outdated system versions.
In the wake of the reports, Apple issued iOS 16.7.15, iOS 15.8.7, iPadOS 16.7.15, and iPadOS 15.8.7, fixing kernel and WebKit vulnerabilities exploited by Coruna.
Notably, earlier today, Apple released a new support document titled “Update iOS to protect your iPhone from web attacks,” stating that “security researchers recently discovered web-based attacks that target outdated versions of iOS through harmful web content.” The document outlines the following:
– If you have kept your iPhone software current, you are already protected. If your iPhone is running an older version of iOS, please update to safeguard your data:
– Devices running the latest, updated versions of iOS 15 through iOS 26 are already secured. If you have not updated your software in a while, update iOS on your iPhone.
– On March 11, 2026, we released a software update for iOS 15 and iOS 16 to extend protection to older devices that cannot upgrade to the newest version of iOS.
– Devices with iOS 13 or iOS 14 must upgrade to iOS 15 to receive these protections and will be notified to install a Critical Security Update in the coming days.
– Apple Safe Browsing in Safari is enabled by default and blocks the malicious URL domains identified in these attacks.
*Note: Users unable to update their device may consider activating Lockdown Mode (if available) to guard against harmful web content and other threats.*
It appears that the new Security post might refer not only to Coruna but also to another exploit chain, which the Google Threat Intelligence Group (GTIG) believes to be called DarkSword.
According to GTIG, “multiple commercial surveillance vendors and suspected state-sponsored actors are utilizing DarkSword in various campaigns,” adding that “these threat actors have employed the exploit chain against targets in Saudi Arabia, Turkey, Malaysia, and Ukraine.”
In summary, DarkSword operates similarly to Coruna. It chains multiple vulnerabilities to achieve a complete kernel-level compromise.
Like Coruna, DarkSword is distributed through compromised or decoy websites, then chains multiple stages before deploying payloads such as GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER.
According to GTIG, the CVEs related to DarkSword include:
– CVE-2025-31277 (patched in iOS 18.6)
– CVE-2026-20700 (patched in iOS 26.3)
– CVE-2025-43529 (patched in iOS 18.7.3 and iOS 26.2)
– CVE-2025-14174 (patched in iOS 18.7.3 and iOS 26.2)
– CVE-2025-43510 (patched in iOS 18.7.2 and iOS 26.1)
– CVE-2025-43520 (patched in iOS 18.7.2 and iOS 26.1)
To delve into the technical specifics, refer to GTIG’s report, published in collaboration with Lookout and iVerify, both of which also released their discoveries.
Oh, and ensure that your devices are operating on the latest iOS version.