Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

DarkSword iPhone exploit chain exploitation wave

Exploitation Wave
First reported
Last updated
Happening score
H score 64
3 unique sources, 4 articles

Summary

Hide ▲

DarkSword is an active iPhone exploitation wave targeting iOS 18.4 through iOS 18.7, with Apple expanding iOS 18.7.7 and iPadOS 18.7.7 to more older devices on April 1 so they can receive protections without a full OS upgrade. The kit has been used in targeted cyber-attacks since July 2025, including web-based watering hole attacks that can deploy malware after a user visits a compromised website. Researchers say the wave has been linked to six vulnerabilities and data-stealing malware including GhostBlade, GhostKnife and GhostSaber, and that more users on older software remain exposed until they patch.

Related Happenings

Gremlin stealer modular toolkit evolution

Malware Activity
First: 15.05.2026 17:19 Last: 15.05.2026 17:19 Sources 1

About this happening: The **Gremlin stealer** malware has expanded into a **modular toolkit** with **session-hijacking** and **crypto clipping** capabilities, raising the risk of credential theft and a...

Open Happening

MiningDropper (BeatBanker) modular Android payload framework with encrypted staging

Technical Analysis
First: 24.04.2026 14:48 Last: 24.04.2026 14:48 Sources 1

About this happening: **MiningDropper (BeatBanker)** now stands out as a **layered modular Android malware framework** that can reuse one delivery chain across **hundreds of samples**, making **static...

Open Happening

SilentGlass launch as a monitor-connection protection security device

Security Tool/Service
First: 22.04.2026 18:00 Last: 22.04.2026 18:00 Sources 1

About this happening: The **UK National Cyber Security Centre** has released **SilentGlass**, a plug-and-play device that blocks unexpected or malicious signals between **HDMI** or **display port** con...

Open Happening

Nexcorium Mirai botnet activity on TBK DVR devices

Malware Activity
First: 18.04.2026 09:01 Last: 18.04.2026 09:01 Sources 1

About this happening: **Nexcorium**, a **Mirai variant**, is now being deployed against **TBK DVR-4104** and **DVR-4216** devices by exploiting **CVE-2024-3721**, turning compromised IoT hardware into...

Open Happening

Apple iOS 18.7.7 security update expansion for DarkSword

Security Patch Release
First: 02.04.2026 00:50 Last: 02.04.2026 00:50 Sources 1

How related: We enabled the availability of iOS 18.7.7 for more devices on April 1, 2026, so users with Automatic Updates turned on can automatically receive important security protections from web attacks called DarkSword,

About this happening: Apple expanded **iOS 18.7.7** availability to more older **iPhones and iPads** on **April 1, 2026**, letting devices that stay on **iOS 18** receive protections against the **acti...

Open Happening

Timeline

  1. 02.04.2026 16:30 2 articles · 1mo ago

    Apple expands iOS 18.7.7 protections for DarkSword targets

    Mitigation Patch Update

    Apple broadened availability of iOS 18.7.7 and iPadOS 18.7.7 on April 1 to more devices still running iOS 18, including iPhone XR through iPhone 16 models, iPhone SE (2nd and 3rd generation), and multiple iPad models, so they can receive security patches against DarkSword web-based watering hole attacks that can deploy malware after a user visits a compromised website. Apple also began sending lock screen notifications to users running older software, urging installation of the latest security updates.

    Show sources
    Open in new tab
  2. 18.03.2026 23:15 2 articles · 2mo ago

    DarkSword research disclosure and remediation guidance

    Initial Disclosure

    Google, iVerify, and Lookout publish research on DarkSword, an iOS exploit chain targeting iPhones running iOS 18.4 through 18.7 and used since at least November 2025 against users in Saudi Arabia, Turkey, Malaysia, and Ukraine by commercial surveillance vendors and suspected state-sponsored actors. The chain combines multiple vulnerabilities, including CVE-2025-31277, CVE-2025-43529, CVE-2026-20700, CVE-2025-14174, CVE-2025-43510, and CVE-2025-43520, to achieve remote code execution, sandbox escape, privilege escalation, full device compromise, sensitive-data exfiltration, and cryptocurrency wallet theft. The guidance says the flaws have been fixed in iOS 18.7.6 and iOS 26.3.1, but more than 200 million users may still be vulnerable, with Lockdown Mode suggested as an added defense.

    Show sources
    Open in new tab