The US Cybersecurity and Infrastructure Security Agency has ordered federal agencies to urgently patch three serious iPhone vulnerabilities that have been actively used in cyberattacks involving cryptocurrency theft and espionage.
These security flaws are part of a larger attack chain known as the DarkSword exploit kit, recently uncovered by researchers from Google Threat Intelligence Group and iVerify. The exploit chain includes six vulnerabilities that attackers used together to break into iPhones, bypass security protections, and gain full control over devices.
The vulnerabilities allow attackers to escape Apple’s security sandbox, increase their access privileges, and run malicious code remotely. Apple has already released fixes for all of them, but devices running iOS versions between 18.4 and 18.7 remain at risk if they have not been updated.
Security researchers have linked DarkSword to multiple threat groups. These include UNC6748, believed to be connected to a Turkish surveillance company, and UNC6353, which is suspected to be tied to Russian cyber espionage operations.
During these attacks, researchers observed three different types of malware being installed on victims’ devices. GhostBlade is a powerful JavaScript-based tool designed to steal sensitive information. GhostKnife acts as a backdoor that can extract large amounts of data. GhostSaber is another malicious script that both runs commands and collects user data.
In some campaigns, attackers used DarkSword alongside another exploit kit called Coruna. These attacks targeted iPhone users visiting compromised Ukrainian websites, including those related to e-commerce, industrial equipment, and local services.
One notable feature of DarkSword is its ability to remove traces of its activity. After collecting data, it deletes temporary files and exits, making detection much harder. This suggests the tool is designed for short-term, stealthy surveillance operations.
Mobile security firm Lookout believes DarkSword is being used in campaigns aligned with Russian intelligence goals, as well as for financially motivated cybercrime.
CISA has added three of the vulnerabilities to its list of actively exploited threats and has given federal agencies until April 3 to secure affected systems. The directive follows Binding Operational Directive 22-01, which requires agencies to quickly address known security risks.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
Although this order applies specifically to US federal agencies, CISA has strong
