HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Zero‑Day iOS Exploit Kit “DarkSword” Enables Full Device Compromise Across Multiple Nations

The DarkSword iOS exploit kit, leveraging six vulnerabilities (including three zero‑days), has been used since late 2025 by threat actors such as UNC6353 to steal credentials and crypto wallet data from iPhones running iOS 18.4‑18.7. Targeted regions include Saudi Arabia, Turkey, Malaysia, and Ukraine, posing a significant risk to enterprises with BYOD or mobile‑first strategies.

LiveThreat™ Intelligence · 📅 March 20, 2026· 📰 securityaffairs.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
3 sector(s)
Actions
4 recommended
📰
Source
securityaffairs.com

Zero‑Day iOS Exploit Kit “DarkSword” Enables Full Device Compromise Across Multiple Nations

What Happened – Lookout Threat Labs uncovered “DarkSword,” an iOS exploit kit that chains six vulnerabilities (three zero‑days) to gain complete control of iPhones running iOS 18.4‑18.7. Since late 2025 it has been used in campaigns against users in Saudi Arabia, Turkey, Malaysia and Ukraine, stealing credentials and cryptocurrency‑wallet data before self‑destructing.

Why It Matters for TPRM

  • Full‑device takeover can expose employee credentials, corporate data and crypto assets stored on mobile devices.
  • The kit is sold on secondary markets, widening the pool of threat actors that can target your third‑party vendors.
  • BYOD and mobile‑first strategies increase the attack surface for enterprises that rely on iOS endpoints.

Who Is Affected – Financial services (especially crypto‑wallet providers), technology SaaS firms with mobile apps, and government agencies with iOS‑based workflows.

Recommended Actions – Review iOS device inventory, enforce timely patching, strengthen mobile threat detection, tighten MDM policies, and monitor for DarkSword IOCs (the six CVEs).

Technical Notes – The exploit chain leverages CVE‑2025‑31277, CVE‑2026‑20700 (PAC bypass, zero‑day), CVE‑2025‑43529, CVE‑2025‑14174, CVE‑2025‑43510, CVE‑2025‑43520. It targets iOS 18.4‑18.7, requires minimal user interaction, and exfiltrates data within seconds. Source: Security Affairs

📰 Original Source
https://securityaffairs.com/189662/hacking/darksword-emerges-as-powerful-ios-exploit-tool-in-global-attacks.html

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · SOC 2 Readiness

Access is where most audits get tested.

Verisq AI Trust Operations maps incidents like this to your access controls and collects the evidence continuously, keeping your SOC 2 posture defensible.

See where you'd stand with Verisq AI Trust Operations →