New exploit campaign targets older iOS WebKit/dyld

Google’s Threat Intelligence Group and iVerify traced Coruna to five full exploit chains containing 23 separate exploits that target iPhones running iOS 13.0 through 17.2.1, with disclosures published by GTIG on March 3, 2026. (cloud.google.com) Apple released emergency security updates iOS 16.7.15 and iOS 15.8.7 on March 12, 2026 specifically to address vulnerabilities exploited by the Coruna framework. (securityweek.com) Google’s GTIG reports DarkSword is a distinct full‑chain JavaScript exploit observed since at least November 2025 that chains six vulnerabilities to compromise devices running iOS 18.4 through 18.7 and deploys three final‑stage malware families named GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER. (cloud.google.com) Public reporting and GTIG’s table identify DarkSword’s stages as including CVE‑2025‑31277 (JavaScriptCore/WebKit memory corruption), CVE‑2025‑43510 and CVE‑2025‑43520 (kernel memory management corruption), plus a dyld user‑mode PAC bypass tracked as CVE‑2026‑20700; most of these were patched by Apple in iOS 26.3. (prismnews.com / cloud.google.com) On March 20, 2026 CISA added three Apple CVEs tied to DarkSword (CVE‑2025‑31277, CVE‑2025‑43510, CVE‑2025‑43520) to its Known Exploited Vulnerabilities catalog and set a remediation deadline of April 3, 2026 for federal civilian agencies under BOD 22‑01. (lookout.com) Researchers and vendors report DarkSword code and modules have been leaked to public repositories, with at least one confirmed GitHub leak on March 26, 2026 that broadened access to the toolkit beyond its initial commercial‑surveillance users. (techcrunch.com) GTIG and partner firms added delivery domains to Safe Browsing and recommended enabling Lockdown Mode when updates are unavailable, while Apple’s support advisory published March 19, 2026 urged devices running iOS 13 or 14 to upgrade to at least iOS 15 where possible. (cloud.google.com) (macrumors.com)