Active iOS exploit warnings: DarkSword/Coruna
Apple alerted users about active exploits (DarkSword/Coruna) targeting older iOS 18.4–18.7 builds that can silently steal data via compromised sites — patching is urged. That’s a direct operational and incident‑response risk for teams running web or app services. (x.com)
Google’s Threat Intelligence Group published a detailed DarkSword analysis on March 18, 2026 and reported multiple commercial surveillance vendors and suspected state‑sponsored actors using the chain since at least November 2025. (cloud.google.com) DarkSword is a full‑chain Safari/WebKit delivery that chains six distinct vulnerabilities and has been observed deploying post‑compromise implants labeled GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER. (cloud.google.com) Researchers recovered DarkSword delivery infrastructure in watering‑hole pages and captured a one‑click exploit kit with modules configured for devices running iOS 18.4–18.6.2 (with some modules referencing 18.7). (iverify.io) Independent reporting cites iVerify’s estimate that roughly 220–270 million iPhones may still run exposed iOS‑18 builds, and GTIG observed deployments in Saudi Arabia, Turkey, Malaysia and Ukraine. (theepochtimes.com) GTIG reported the underlying bugs to Apple in late 2025 and most fixes were rolled into iOS 26.3 and Apple’s Background Security Improvements released March 17–18, 2026, while Google added delivery domains to Safe Browsing. (cloud.google.com) Recommended exec‑update format for this incident: a three‑slide, three‑minute brief — 15 seconds: one‑line incident posture citing DarkSword and discovery date; 30 seconds: current containment status and patch timeline; 135 seconds: concrete asks (engineering hours, comms, legal). (cloud.google.com) Daily leadership review metrics to surface in that brief should include patch‑adoption percentage with a 72‑hour critical‑patch cadence target (industry guidance recommends deploying critical patches within 72 hours), mean time to detect under 24 hours and mean time to remediate under 72 hours, plus count of malicious domains blocked. (jumpcloud.com) A concise senior‑leadership ask template tied to action: (1) approve emergency patch windows and escalation of mobile OS update rollouts, (2) authorize user communications and customer advisory language, and (3) mandate Background Security Improvements and Lockdown Mode for high‑risk employees — Apple documents Background Security Improvements and Lockdown Mode as mitigations. (support.apple.com)
