State snoops and spyware vendors planting info-stealing malware on iPhones, Google warns

Summary

A new exploit kit targeting iPhone users and stealing their sensitive data is being abused by "multiple" spyware vendors and suspected nation-state goons, security researchers said on Wednesday. The exploit kit, called DarkSword, has been in use since at least November 2025. It supports iOS versions 18.4 through 18.7, and exploits six different vulnerabilities to deploy three different backdoors that steal a ton of personal information, including messages, recordings, location history, signed-in accounts, cryptocurrency wallet data, and more. In coordinated research published Wednesday, Google, iVerify, and Lookout analyzed the malware and noted that this is the second time this month that they've spotted disparate criminal groups using a single iOS exploit kit to spy on iPhone users. The earlier exploit framework is called Coruna, and one of the earlier groups abusing Coruna - a suspected Russian espionage crew tracked as UNC6353 - has also been using DarkSword in its watering hole campaigns targeting Ukrainians. The DarkSword exploit kit abuses six vulnerabilities: CVE-2025-31277, CVE-2025-43529, CVE-2026-20700, CVE-2025-14174, CVE-2025-43510, and CVE-2025-43520. All six have since been patched, so be sure to update to the latest iOS release. Apple did not respond to The Register's request for comment. How the exploit chain works The attack requires an iPhone user to navigate to a malicious website to trigger the exploit chain. It begins with miscreants exploiting either CVE-2025-31277 or CVE-2025-43529 – depending on the iOS version – to achieve remote code execution, according to iVerify's analysis. Both of these bugs allow attackers to obtain arbitrary memory read/write primitives, and once they've done this, they bypass Trusted Path Read-Only (TPRO) and Pointer Authentication Codes (PAC) mitigations by exploiting CVE-2026-20700. "This allows them to fully sidestep the SPRR and JIT Cage mitigations via thread state manipulation and achieve arbitrary code execut...