Google revealed another series of exploits affecting outdated iPhones

After its recent disclosure of the Coruna exploit targeting older versions of iOS, the company has now disclosed a similar attack believed to be called DarkSword. Here are the details.

A few more reasons to keep your device up to date

A few weeks ago, Google and iVerify published two reports with detailed information about the Coruna exploit, which tied many iOS vulnerabilities to compromise iPhones running outdated system versions.

After the reports were released, Apple released iOS 16.7.15, iOS 15.8.7, iPadOS 16.7.15, and iPadOS 15.8.7, addressing the kernel and WebKit vulnerabilities discovered by Coruna.

Interestingly, earlier today, Apple published a new support document titled Update iOS to protect your iPhone from web attacks, where it says “security researchers have recently identified web-based attacks that target older versions of iOS with malicious web content,” and goes on to explain the following:

If you’ve kept your iPhone software up to date, you’re already protected. (…) If your iPhone has an older version of iOS, update to protect your data:

• Devices with the latest, updated versions of iOS 15 through iOS 26 are already protected. If you haven’t updated your software recently, update iOS on your iPhone.
• We released a software update for iOS 15 and iOS 16 on March 11, 2026, to extend security to older devices that cannot upgrade to the latest version of iOS.
• Devices with iOS 13 or iOS 14 must upgrade to iOS 15 to receive these protections and will receive an additional warning to install a Critical Security Update in the next few days.
• Apple Safe Browsing in Safari is turned on by default and blocks malicious URL domains identified in this attack.

Note: Users who cannot update their device may consider enabling Lock Mode (if available) to protect against malicious web content and other threats.

As it turns out, the new Security post may refer not only to Coruna but also to another series of exploits, which the Google Threat Intelligence Group (GTIG) believes is called DarkSword.

According to GTIG, there are “multiple commercial vendors and suspected government-sponsored actors using DarkSword in separate campaigns,” and they add that “these threat actors have used a series of exploits against targets in Saudi Arabia, Turkey, Malaysia, and Ukraine.”

In short, DarkSword works similarly to Coruna. It covers multiple vulnerabilities to achieve full kernel-level resiliency.

And like Coruna, DarkSword is delivered through compromised or fraudulent websites, then binds multiple ranks before releasing payloads such as GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER.

According to GTIG, CVEs associated with DarkSword include:

• CVE-2025-31277 (patched in iOS 18.6)
• CVE-2026-20700 (patched in iOS 26.3)
• CVE-2025-43529 (patched in iOS 18.7.3 and iOS 26.2)
• CVE-2025-14174 (patched in iOS 18.7.3 and iOS 26.2)
• CVE-2025-43510 (patched in iOS 18.7.2 and iOS 26.1)
• CVE-2025-43520 (patched in iOS 18.7.2 and iOS 26.1)

To get into the technical details, check out the GTIG report, which was published in conjunction with Lookout and iVerify, both of which shared their findings.

Oh, yes, and make sure your devices are running the latest version of iOS.

It’s worth checking out on Amazon