Apple iOS 'DarkSword' Alert

CISA added five vulnerabilities to its KEV catalog on March 20, 2026, listing CVE‑2025‑31277, CVE‑2025‑32432, CVE‑2025‑43510, CVE‑2025‑43520, and CVE‑2025‑54068. (cisa.gov) Security researchers characterize the DarkSword exploit chain as a six‑flaw sequence tracked as CVE‑2025‑31277, CVE‑2025‑43529, CVE‑2026‑20700, CVE‑2025‑14174, CVE‑2025‑43510, and CVE‑2025‑43520. (bleepingcomputer.com) CISA specifically added three DarkSword‑linked CVEs (CVE‑2025‑31277, CVE‑2025‑43510, CVE‑2025‑43520) to the KEV catalog and ordered Federal Civilian Executive Branch agencies to remediate within two weeks, setting a compliance date of April 3, 2026. (bleepingcomputer.com) Google’s Threat Intelligence Group and partners say DarkSword has been observed since at least November 2025, targets iPhones running roughly iOS 18.4–18.7, and delivers three separate malware families labeled GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER after successful exploitation. (cloud.google.com) Researchers link DarkSword deployments to multiple actors — including UNC6748 (a customer of Turkish vendor PARS Defense) and suspected Russian espionage group UNC6353 — and report watering‑hole delivery against e‑commerce, industrial, and local services sites. (bleepingcomputer.com) Apple seeded the iOS 26.4 release candidate to developers on March 18, 2026. (developer.apple.com) Apple’s iOS 26.4 RC flips Stolen Device Protection to on by default and ships security fixes researchers say patch the DarkSword‑linked flaws; vendors and CISA advise applying those updates or, where updates aren’t possible, enabling mitigations such as Lockdown Mode and Advanced Data Protection. (macobserver.com)