WASHINGTON | The order from the Cybersecurity and Infrastructure Security Agency was terse, procedural and familiar in its form. Federal civilian agencies, CISA said, had until April 3 to remediate three Apple vulnerabilities now listed in the government’s catalog of known exploited flaws. But behind that routine directive lay a far more unsettling picture: a sophisticated iPhone exploit chain, dubbed DarkSword by Google researchers, that has been used by multiple threat actors in campaigns tied to surveillance, data theft and geopolitical targeting.
The vulnerabilities CISA added to its catalog — CVE-2025-31277, CVE-2025-43510 and CVE-2025-43520 — are only part of the larger DarkSword chain. According to Google Threat Intelligence Group, the framework strings together six flaws to compromise iPhones running iOS 18.4 through 18.7, allowing attackers to break out of application sandboxes, elevate privileges and ultimately run malicious payloads with full kernel access. Google said Apple patched the vulnerabilities across recent releases, with the full set addressed by iOS 26.3, though several had been fixed earlier.
FCRF Launches Premier CISO Certification Amid Rising Demand for Cybersecurity Leadership
What gives the episode its weight is not merely the presence of another cluster of Apple bugs, but the apparent spread of a highly capable exploit chain across different clients and missions. Google said DarkSword has been observed since at least November 2025 in the hands of multiple commercial surveillance vendors and suspected state-backed actors. The company linked the framework to operations targeting people in Saudi Arabia, Turkey, Malaysia and Ukraine, and said one suspected Russian espionage group, UNC6353, had folded DarkSword into watering-hole attacks after previously using another iPhone exploitation platform known as Coruna.
A Federal Deadline, and a Larger Warning
CISA’s action falls under Binding Operational Directive 22-01, the mechanism that compels federal civilian agencies to address vulnerabilities the government believes are being actively exploited. In the Known Exploited Vulnerabilities catalog, the due date for the three Apple flaws is listed as April 3, 2026, and the agency instructs organizations to apply vendor mitigations, follow relevant cloud guidance or discontinue use if mitigations are unavailable. CISA also notes that such vulnerabilities are frequent attack vectors and pose significant risks to the federal enterprise.
The order formally applies only to federal civilian agencies. But, as is often the case with CISA directives, the broader audience is unmistakable. The inclusion of an Apple bug in the catalog is a signal not just that a flaw exists, but that exploitation has moved from theory into live operational use. In practice, that changes the question for security teams: from whether to patch, to how quickly they can do so without leaving exposed devices behind. This is an inference based on how the KEV catalog is used by U.S. agencies and security teams.
For Apple users outside government, the message from researchers was similarly blunt. Google urged users to update to the latest iOS version and recommended Lockdown Mode where updating was not possible. iVerify, which investigated the DarkSword delivery infrastructure with Lookout and Google, argued that the threat showed how quickly nation-state-grade mobile exploitation is diffusing into broader operational use.
The Anatomy of an iPhone Break-In
According to Google’s technical analysis, DarkSword is a full exploit chain built entirely in JavaScript, an unusual design choice that nonetheless allowed it to bridge into native interfaces and exploit iOS internals without relying on unsigned binary payloads. The chain uses six vulnerabilities: two memory corruption bugs in JavaScriptCore, a bypass for Apple’s pointer authentication protections in dyld, a memory corruption flaw in ANGLE and two kernel-level bugs that enable the final rise to full device control.
Google’s published table says the chain combines CVE-2025-31277, CVE-2025-43529, CVE-2026-20700, CVE-2025-14174, CVE-2025-43510 and CVE-2025-43520. Some of those, Google said, were used as zero-days. The result was a pathway from malicious web content to complete compromise of a vulnerable iPhone. Unlike older exploit kits that targeted wider operating-system ranges, DarkSword was more narrowly tuned to iOS 18.4 through 18.7, suggesting a more recent and modular development cycle.
The malware families dropped after exploitation also pointed to varied purposes. Google identified three: GHOSTBLADE, an aggressive JavaScript infostealer; GHOSTKNIFE, a backdoor capable of taking large volumes of data; and GHOSTSABER, a script that could execute code while stealing information. iVerify separately said the recovered implants were designed to exfiltrate sensitive data from compromised phones, and that one version of the exploit it observed targeted devices in Ukraine running iOS 18.4 to 18.6.2.
One notable detail in Google’s account is how operationally polished the tool appeared to be. The company said DarkSword included logic to avoid reinfecting prior victims and, in some cases, redirected targets to legitimate sites after exploitation to mask what had happened. Researchers also said the framework wiped temporary files and exited after stealing data, behavior consistent with short-duration surveillance operations meant to reduce the forensic trace left behind.
From Spyware Market to Multipurpose Weapon
The broader significance of DarkSword lies in its circulation. Google described the exploit chain as another example of sophisticated capabilities spreading across unrelated actors, echoing the earlier Coruna platform. In Google’s telling, DarkSword was used by a mix of commercial surveillance customers and suspected state-sponsored groups, including UNC6748 and UNC6353. That proliferation matters because it suggests the market for elite mobile exploits is no longer confined to a single vendor-client relationship.
Google said UNC6748, identified as a customer of the Turkish commercial surveillance vendor PARS Defense, used a Snapchat-themed lure site to target Saudi users. UNC6353, the suspected Russian espionage actor, deployed DarkSword in watering-hole attacks against people visiting compromised Ukrainian websites tied to e-commerce, industrial equipment and local services. Lookout, which helped uncover the infrastructure, said it believed DarkSword was being used in campaigns aligned with Russian intelligence requirements and also by a Russian actor with financial motives.
That combination — espionage on one side, cryptocurrency theft and financially motivated theft on the other — is part of what makes the case more revealing than a standard vulnerability bulletin. It suggests that once a mobile exploit chain reaches a certain level of maturity, it can become a flexible instrument, rentable or repurposable across political and criminal objectives. This is an inference drawn from the multiple actors and distinct end uses described by Google, iVerify and Lookout.
The Quiet Vulnerability of the Modern Phone
For years, smartphones were treated in many organizations as adjacent to the real battleground of cybersecurity — important, but not central. That assumption has been eroding, and DarkSword adds another reason. iVerify said up to 270 million devices could have been running vulnerable versions in the affected range, and described the episode as the second mass iOS attack disclosed in two weeks. Its warning was not simply about patching, but about visibility: the difficulty of detecting quiet mobile compromise in environments still built to watch laptops, servers and cloud systems more closely than phones.
CISA’s order, then, carries a significance beyond the three CVEs in its database. It is a recognition that iPhones — long marketed as the most secure of mainstream consumer devices — are now embedded firmly inside the threat models of states, spy-for-hire vendors and financially motivated attackers alike. Federal agencies have until April 3 to respond. The rest of the world, while under no formal mandate, has been given the same warning in less binding language: update now, or accept that the phone in your pocket may have become a far more exposed instrument than its owner imagines.
