162/69 Friday, March 20, 2026
Security researchers have identified a new iOS exploit kit named DarkSword, which leverages six vulnerabilities-CVE-2025-31277, CVE-2025-43529, CVE-2026-20700, CVE-2025-14174, CVE-2025-43510, and CVE-2025-43520-to bypass sandbox restrictions, escalate privileges, and execute remote code on iPhones. The attack chain begins through the Safari browser, combining multiple exploits to gain kernel read/write access before deploying malware from the GHOST family, including GHOSTBLADE (data theft), GHOSTKNIFE (backdoor), and GHOSTSABER (command execution and further data exfiltration).
The campaign has been linked to several threat groups, including UNC6748, which targets users via malicious websites, as well as activity associated with PARS Defense and UNC6353, believed to be involved in cyber-espionage operations. Attackers reportedly use watering hole techniques, embedding malicious iframes into compromised websites to deliver the GHOSTBLADE payload. Researchers noted that DarkSword is designed for speed and stealth, automatically deleting temporary files and terminating execution after data exfiltration to minimize forensic traces and evade long-term detection.
The malware is capable of stealing a wide range of sensitive data, including saved passwords, photos, WhatsApp and Telegram databases, cryptocurrency wallets (such as Coinbase, Binance, and Ledger), call logs, contacts, location data, browsing history, and even Apple Health data. Apple has already patched the associated vulnerabilities in the latest iOS release and strongly recommends that users update to iOS 26.3.1 as soon as possible. High-risk users are also advised to enable Lockdown Mode to enhance device security.