Full Report
CISA ordered U.S. government agencies to patch three iOS vulnerabilities targeted in cryptocurrency theft and cyberespionage attacks using the DarkSword exploit kit. [...]
Analysis Summary
# Vulnerability: DarkSword iOS Exploit Chain
## CVE Details
- **CVE ID:** CVE-2025-31277, CVE-2025-43510, CVE-2025-43520 (Specifically highlighted by CISA)
- **CVSS Score:** N/A (Severity categorized as High/Critical based on RCE and Sandbox Escape capabilities)
- **CWE:** Not specified (Involves Privilege Escalation and Sandbox Escape)
## Affected Systems
- **Products:** Apple iPhone and iPad
- **Versions:** iOS 18.4 through iOS 18.7
- **Configurations:** Devices configured to browse the web; specifically targeted in watering-hole attacks.
## Vulnerability Description
These vulnerabilities form part of a six-flaw exploit chain used by the **DarkSword** exploit kit. The flaws allow for a multi-stage attack:
1. **Initial Access:** Exploitation via a delivery framework (often via web browsers).
2. **Sandbox Escape:** Breaking out of the restricted application environment.
3. **Privilege Escalation:** Gaining elevated (root) access to the operating system.
4. **Remote Code Execution (RCE):** Executing malicious payloads (GhostBlade, GhostKnife, or GhostSaber) to exfiltrate data.
## Exploitation
- **Status:** Exploited in the wild (CISA KEV Catalog)
- **Complexity:** Medium (Requires sophisticated exploit kit delivery)
- **Attack Vector:** Network (Web-based watering-hole attacks)
## Impact
- **Confidentiality:** High (Theft of cryptocurrency credentials and sensitive personal data)
- **Integrity:** High (Modification of system files and installation of backdoors)
- **Availability:** Low (Primary focus is on stealthy exfiltration rather than disruption)
## Remediation
### Patches
- Apple has released patches for these vulnerabilities. Users must update to the **latest available version of iOS/iPadOS** (post-iOS 18.7).
### Workarounds
- **No official workarounds:** Patching is the only effective mitigation.
- **Reduce Surface Area:** Avoid visiting untrusted or high-risk websites in regions associated with the targeting (e.g., specific Ukrainian service portals identified in the report).
## Detection
- **Indicators of Compromise:**
- Presence of temporary file wiping (DarkSword attempts to clean its own traces).
- Identification of **GhostBlade** (JavaScript infostealer), **GhostKnife** (backdoor), or **GhostSaber** (JavaScript-based data stealer) malware.
- **Detection methods and tools:**
- Use of mobile security platforms (e.g., Lookout, iVerify) to scan for known exploit kit artifacts.
- Monitoring for unusual network traffic to known malicious C2 (Command and Control) infrastructure associated with UNC6748 or UNC6353.
## References
- **Vendor Advisories:** hxxps[://]support.apple[.]com/en-us/HT201222
- **CISA KEV Catalog:** hxxps[://]www.cisa[.]gov/known-exploited-vulnerabilities-catalog
- **Researcher Analysis:** hxxps[://]www.lookout[.]com/blog/darksword
- **Threat Intelligence:** hxxps[://]www.bleepingcomputer[.]com/news/security/new-darksword-ios-exploit-used-in-infostealer-attack-on-iphones/