Google’s security teams have exposed a new exploit chain dubbed DarkSword, which targets older iPhones through malicious web content in a manner similar to the previously revealed Coruna exploit. These attacks specifically affect devices running outdated iOS versions, putting users at risk of having their phones fully compromised at the kernel level.
Apple recently addressed vulnerabilities exploited by the Coruna attack with the release of iOS updates 16.7.15 and 15.8.7, alongside corresponding iPadOS patches. A new Apple support document warns that web-based attacks continue to threaten iPhones with older iOS versions, urging users to update their software. The company highlighted that devices running iOS 15 through the latest iOS 26 are protected from these exploits.
Importantly, devices stuck on iOS 13 or 14 must first upgrade to iOS 15 to gain these protections. For those unable to update, Apple recommends enabling Lockdown Mode as a defensive measure against malicious content. Safari’s default Safe Browsing feature also blocks URLs associated with these attacks, adding an extra layer of protection.
The Google Threat Intelligence Group (GTIG) explains that DarkSword, like Coruna, chains multiple vulnerabilities to execute kernel-level exploits. However, DarkSword is known to be used by commercial surveillance firms and suspected state-backed actors, targeting individuals mainly in Saudi Arabia, Turkey, Malaysia, and Ukraine. The attack involves a multi-stage payload delivery through compromised or decoy websites, deploying malware such as GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER.
- Some of the identified vulnerabilities (CVEs) DarkSword exploits include:
- CVE-2025-31277 (fixed in iOS 18.6)
- CVE-2026-20700 (fixed in iOS 26.3)
- CVE-2025-43529 (fixed in iOS 18.7.3 and iOS 26.2)
- CVE-2025-14174 (fixed in iOS 18.7.3 and iOS 26.2)
- CVE-2025-43510 (fixed in iOS 18.7.2 and iOS 26.1)
- CVE-2025-43520 (fixed in iOS 18.7.2 and iOS 26.1)
These patches underline the importance of keeping iPhones updated, especially as attackers employ increasingly sophisticated, multi-stage exploits to bypass security measures. With common malware payloads associated with DarkSword emerging in targeted regions, users outside these areas should also remain vigilant – exploits often spread beyond initially reported locations.
Apple’s emphasis on updating older devices not capable of the latest iOS versions reflects the challenge of supporting legacy hardware amid a rapidly evolving threat landscape. Enabling Lockdown Mode, previously optional, as a recommended fallback shows how layered defenses are becoming necessary for all users.
While the technical reports by Google, Lookout, and iVerify offer deep insights for security professionals, the key advice for everyday users is clear: update your iPhone’s software whenever possible and stay alert for alerts highlighting critical security updates. Ignoring these warnings leaves devices open to sophisticated state-sponsored surveillance techniques disguised as everyday web activity.