After publishing analysis on Coruna, Google exposes another exploit channel targeting older versions of iOS, identified as “DarkSword” by the Google Threat Intelligence Group (GTIG).
Context: Coruna and the patches deployed in March 2026
At the beginning of March, Google and iVerify described Coruna, a chain combining several iOS vulnerabilities in order to compromise iPhones remaining on outdated versions. In the process, Apple released iOS 16.7.15, iOS 15.8.7, iPadOS 16.7.15 and iPadOS 15.8.7, with fixes notably targeting kernel and WebKit vulnerabilities.
On March 19, 2026, Apple also posted a support document titled Update iOS to protect your iPhone from web attacks, discussing web attacks targeting outdated versions of iOS via malicious web content. Apple specifies in particular that devices running iOS 13 or iOS 14 must upgrade to iOS 15 to benefit from these protections, and that Isolation mode (Lockdown Mode) can be considered when available.
“DarkSword”: a multi-stage exploitation chain
According to the GTIG, “DarkSword” is used in separate campaigns by “multiple commercial surveillance vendors” as well as suspected state-sponsored actors. Google says these operations targeted targets in Saudi Arabia, Turkey, Malaysia and Ukraine.
Like Coruna, DarkSword chains multiple vulnerabilities together to achieve a complete compromise at the kernel level. The diffusion would go through compromised sites or decoy sites, before the sequence of several phases leading to the deployment of payloads, including GHOSTBLADE, GHOSTKNIFE and GHOSTSABER.
Related vulnerabilities and fixed versions
- CVE-2025-31277 (fixed in iOS 18.6)
- CVE-2026-20700 (fixed in iOS 26.3)
- CVE-2025-43529 (fixed in iOS 18.7.3 and iOS 26.2)
- CVE-2025-14174 (fixed in iOS 18.7.3 and iOS 26.2)
- CVE-2025-43510 (fixed in iOS 18.7.2 and iOS 26.1)
- CVE-2025-43520 (fixed in iOS 18.7.2 and iOS 26.1)
Technical details are documented by Google in the GTIG post: darksword ios exploit chain, published in coordination with Lookout (darksword) and iVerify (darksword ios exploit kit explained).