CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Russian UNC6353 Uses Coruna and Darksword iOS Exploit Kits Across iOS 13–18.7 Targeting Financial Espionage and Data Theft

First reported
Last updated
4 unique sources, 14 articles

Summary

Hide ▲

Apple has expanded security updates for iOS 18.7.7 and iPadOS 18.7.7 to protect devices still running iOS 18 from the DarkSword exploit kit, without requiring full OS upgrades. This follows continued exploitation of DarkSword since July 2025 across multiple countries, with attacks leveraging six vulnerabilities to deploy data-stealing malware like GhostBlade, GhostKnife, and GhostSaber through watering hole attacks on compromised websites. The campaign remains linked to Russian threat actor UNC6353 and associated groups including UNC6748 and Turkish vendor PARS Defense, with Coruna and Darksword exploit kits now confirmed as closely related frameworks sharing origins in the 2019–2023 Operation Triangulation campaign. Coruna has evolved from a precision espionage tool into a mass-exploitation framework with 23 exploits across five chains, while Darksword targets iOS 18.4–18.7 and has been publicly leaked on GitHub. Apple has patched all exploited flaws in recent releases (18.7.3, 26.2, 26.3.1), and CISA has mandated federal agencies patch three DarkSword-linked vulnerabilities (CVE-2025-31277, CVE-2025-43510, CVE-2025-43520) by April 3, 2026. The commoditization of these iOS exploitation tools elevates risk to end-users globally.

Timeline

  1. 18.03.2026 16:02 7 articles · 15d ago

    Darksword iOS Exploit Kit Discovered Targeting iOS 18.4–18.6.2

    Apple expands security coverage by releasing iOS 18.7.7 and iPadOS 18.7.7 on April 1, 2026 to protect devices still running iOS 18 from DarkSword's six vulnerabilities without requiring full OS upgrades. The update covers iPhone XR through iPhone 16 models, iPhone SE (2nd and 3rd generation), multiple iPad mini, iPad Air and iPad Pro models, and iPad (7th generation). DarkSword exploitation has been active since July 2025 across multiple countries, using data-stealing malware including GhostBlade, GhostKnife, and GhostSaber in watering hole attacks on compromised websites. The public leak of DarkSword on GitHub increases the risk of commoditized exploitation beyond targeted campaigns, prompting Apple's unusual decision to backport patches to an older major OS version.

    Show sources
    Open in new tab
  2. 04.03.2026 15:28 9 articles · 29d ago

    Coruna Exploit Kit Used in Multiple Campaigns by Various Threat Actors

    Kaspersky GReAT confirms Coruna is a continuously maintained evolution of the Operation Triangulation framework, with code-level continuity in kernel exploits (CVE-2023-32434 and CVE-2023-38606) dating to 2019. The framework includes explicit checks for Apple's A17, M3, M3 Pro, and M3 Max chips and supports iOS versions below 14.0 beta 7, 14.7, 16.5 beta 4, 16.6 beta 5, and 17.2. Attacks begin via compromised Safari websites with a stager that fingerprints devices, selects RCE and PAC exploits, and retrieves encrypted metadata. Payloads are decrypted with ChaCha20, decompressed with LZMA, and parsed via custom container formats before executing appropriate kernel exploits, Mach-O loaders, and launchers. The payloads support ARM64 and ARM64E architectures. Originally a precision espionage tool, Coruna is now deployed indiscriminately in campaigns targeting cryptocurrency theft and broader data exfiltration.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Background Security Improvements update issued to remediate CVE-2026-20643 WebKit navigation bypass

Apple’s Background Security Improvements update addressed CVE-2026-20643, a WebKit flaw enabling malicious web content to bypass Same Origin Policy restrictions via the Navigation API. The vulnerability impacted iOS 26.3.1, iPadOS 26.3.1, macOS 26.3.1, and macOS 26.3.2, exposing users to data leakage or spoofing risks. The fix was delivered as a lightweight, out-of-band patch via Apple’s Background Security Improvements mechanism, eliminating the need for a full OS upgrade or device restart. Background Security Improvements updates can be managed via Privacy & Security settings, with options for automatic installation and rollback to baseline OS versions if removed.

Open in new tab

Increase in Zero-Day Exploits in 2025

Google Threat Intelligence Group (GTIG) reported tracking 90 zero-day vulnerabilities exploited in 2025, a 15% increase from 2024. Nearly half targeted enterprise software and appliances, with 43 (48%) zero-days identified, up from 36 (46%) in 2024. Memory safety issues accounted for 35% of these exploits. Commercial spyware vendors were the largest users of zero-days, surpassing state-sponsored groups. China-linked espionage groups remained the most active among state actors, while financially motivated actors also increased their use of zero-days. The most targeted enterprise systems included security appliances, networking infrastructure, VPNs, and virtualization platforms. Google recommends reducing attack surfaces, continuous monitoring, and rapid patching to mitigate risks.

Open in new tab

PCI Security Standards Council Highlights Accelerating Threats to Payment Systems

The PCI Security Standards Council (PCI SSC) released its first annual report, emphasizing the increasing sophistication and speed of threats targeting payment systems. The report underscores the need for global coordination, education, and collaboration to advance payment security across various sectors. Threat actors are increasingly targeting payment cards, point-of-sale systems, and processing systems through methods like skimming, jackpotting, and credential theft. The council's initiatives aim to secure mobile, data, device, software, and card products by updating standards and compliance requirements.

Open in new tab

Critical Authentication Bypass in Cisco Catalyst SD-WAN Exploited Since 2023

A critical authentication bypass vulnerability (CVE-2026-20127) in Cisco Catalyst SD-WAN has been actively exploited in zero-day attacks since at least 2023. The flaw allows remote attackers to compromise controllers and add malicious rogue peers to targeted networks. The vulnerability stems from a peering authentication mechanism that does not work properly, enabling attackers to log in as high-privileged users and manipulate network configurations. Cisco has released specific software updates to address the issue, and CISA has issued an emergency directive requiring federal agencies to patch affected systems by February 27, 2026. Attackers have been found to leverage the built-in update mechanism to stage a software version downgrade and escalate to the root user by exploiting CVE-2022-20775, and have taken steps to clear evidence of the intrusion by purging logs and command history. Additionally, Cisco has flagged two more Catalyst SD-WAN Manager security flaws (CVE-2026-20128 and CVE-2026-20122) as actively exploited in the wild, urging administrators to upgrade vulnerable devices. CVE-2026-20128 is an information disclosure issue affecting the Data Collection Agent (DCA) feature, allowing an authenticated, local attacker to gain DCA user privileges. CVE-2026-20122 is an arbitrary file overwrite bug affecting the API, allowing a remote, authenticated attacker to overwrite arbitrary files and gain elevated privileges. Cisco Talos has linked the attacks exploiting CVE-2026-20127 to UAT-8616, a highly sophisticated threat actor active since at least 2023. Cisco has also released updates to address two maximum-severity vulnerabilities in its Secure Firewall Management Center (FMC) software: CVE-2026-20079 and CVE-2026-20131.

Open in new tab

Predator Spyware Hides iOS Recording Indicators via SpringBoard Hooking

Intellexa’s Predator spyware leverages kernel-level access to hook iOS SpringBoard and suppress camera and microphone activity indicators. The malware intercepts sensor activity updates, preventing the display of green or orange dots in the status bar. This allows Predator to operate stealthily, hiding its surveillance activities from users. The spyware exploits previously obtained kernel access rather than zero-day vulnerabilities.

Open in new tab