The Proliferation of DarkSword: iOS Exploit Chain Adopted by Multiple Threat Actors
A new iOS full-chain exploit, dubbed DarkSword, has been identified, leveraging six zero-day vulnerabilities to fully compromise devices running iOS versions 18.4 through 18.7. Since November 2025, multiple commercial surveillance vendors and suspected state-sponsored actors, including UNC6748, PARS Defense, and UNC6353, have deployed DarkSword in campaigns targeting users in Saudi Arabia, Turkey, Malaysia, and Ukraine. The exploit chain progresses through remote code execution (RCE) using JavaScriptCore vulnerabilities (CVE-2025-31277, CVE-2025-43529) and a Pointer Authentication Code (PAC) bypass (CVE-2026-20700), followed by two sandbox escapes (WebContent to GPU via CVE-2025-14174, and GPU to mediaplaybackd via CVE-2025-43510), culminating in local privilege escalation through a kernel-mode race condition (CVE-2025-43520). Successful compromises deploy malware families such as GHOSTKNIFE (a JavaScript backdoor for data exfiltration and device control), GHOSTSABER (a JavaScript backdoor for enumeration, file listing, and arbitrary code execution), and GHOSTBLADE (a JavaScript dataminer collecting extensive device and personal data). All vulnerabilities were reported and patched by Apple, primarily in iOS 26.3, with earlier patches for some components. Users are strongly advised to update their devices to the latest iOS version or enable Lockdown Mode for enhanced security.
Severity: Critical
Threat Details and IOCs
| Malware: | Coruna, CryptoWaters, Darksword, DarkSword, Deblind, GhostBlade, GHOSTBLADE, GhostKnife, GHOSTKNIFE, GhostSaber, GHOSTSABER, Infamous Chisel |
| CVEs: | CVE-2021-30952, CVE-2023-32409, CVE-2025-14174, CVE-2025-31277, CVE-2025-43300, CVE-2025-43510, CVE-2025-43520, CVE-2025-43529, CVE-2026-20700 |
| Technologies: | Apple iOS, Apple Safari, Google Android |
| Threat Actors: | APT29, MatrixLLC, PARSDefense, Sandworm, UNC6353, UNC6691, UNC6748 |
| Attacker Countries: | China, Russia, Turkey |
| Attacker IPs: | 141.105.130.237, 62.72.21.10, 72.60.98.48 |
| Attacker Domains: | 7aac.gov.ua, api.cloud-content-delivery.net, backup.cloud-content-delivery.net, cdn.cdncounter.net, cdn.cloud-content-delivery.net, cdncounter.net, cdn.uacounter.com, count.cdncounter.net, e5.malaymoil.com, novosti.dn.ua, sahibndn.io, shapelie.com, snapshare.chat, sqwas.shapelie.com, static.cdncounter.net, uacounter.com |
| Attacker URLs: | https://static.cdncounter.net/assets/index.html, https://static.cdncounter.net/assets/pe_main.js, https://static.cdncounter.net/assets/rce_loader.js, https://static.cdncounter.net/assets/rce_module_18.6.js, https://static.cdncounter.net/assets/rce_module.js, https://static.cdncounter.net/assets/rce_worker_18.4.js, https://static.cdncounter.net/assets/rce_worker_18.6.js, https://static.cdncounter.net/assets/sbx0_main_18.4.js, https://static.cdncounter.net/assets/sbx1_main.js, https://static.cdncounter.net/widget.js, https://static.cdncounter.net/widgets.js?uhfiu27fajf2948fjfefaa42, hxxps://api.cloud-content-delivery.net/v1/, hxxps://backup.cloud-content-delivery.net/v1/, hxxps://cdn.cloud-content-delivery.net/client.js, hxxps://snapshare.chat/frame.html, x-safari-https://snapshare.chat/ |
| Attacker Hashes: | 2e5a56beb63f21d9347310412ae6efb29fd3db2d3a3fc0798865a29a3c578d35 |
| Victim Industries: | Defense, Financial Services, Food & Beverage, Food Processing, Government, Multimedia, Public Sector, Social Media, Technology Hardware |
| Victim Countries: | China, Malaysia, Saudi Arabia, Turkey, Ukraine |
Mitigation Advice
- Immediately update all corporate and BYOD iOS devices to the latest available version, ensuring they are on at least iOS 26.3 or a patched equivalent to mitigate all six vulnerabilities used by the DarkSword exploit chain.
- For high-risk users or on iOS devices that cannot be immediately updated, enable Apple's Lockdown Mode to significantly reduce the attack surface and block the complex web-based exploits used by DarkSword.
- Add the following domains and IP addresses to your network blocklists in your firewall, DNS filter, and web proxy: snapshare[.]chat, 62.72.21[.]10, 72.60.98[.]48, sahibndn[.]io, e5.malaymoil[.]com, static.cdncounter[.]net, and sqwas.shapelie[.]com.
- Use your endpoint security tools to scan all managed iOS devices for the file with SHA256 hash 2e5a56beb63f21d9347310412ae6efb29fd3db2d3a3fc0798865a29a3c578d35, which identifies the GHOSTBLADE dataminer payload.
- Deploy the YARA rules provided in the article within your security tools to scan collected files and endpoint data for the GHOSTKNIFE, GHOSTSABER, and GHOSTBLADE malware families.
Compliance Best Practices
- Establish and enforce a formal mobile device patch management policy that mandates the installation of security updates for all corporate and BYOD iOS devices within a specified timeframe after their release.
- Evaluate and implement a Mobile Device Management (MDM) solution to enforce security configurations, mandate OS updates, and gain visibility into the security posture of all iOS devices accessing corporate data.
- Implement a continuous security awareness training program that educates employees on the dangers of clicking unsolicited links and visiting untrusted websites, especially on mobile devices.
- Investigate and deploy a Mobile Threat Defense (MTD) solution to monitor for anomalous behavior on iOS devices, such as privilege escalation, sandbox escapes, and attempts to delete system logs.
https://buaq.net/go-403386.html
https://buaq.net/go-403568.html
https://cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain/
https://cyberpress.org/new-ios-exploit-uses-advanced-iphone-hacking/
https://gbhackers.com/new-ios-exploit-uses-advanced-iphone-hacking-tools/
https://thecyberexpress.com/ios-exploit-kit-dubbed-darksword/
https://thehackernews.com/2026/03/darksword-ios-exploit-kit-uses-6-flaws.html
https://www.helpnetsecurity.com/2026/03/19/darksword-ios-exploit-iphone/
https://www.hendryadrian.com/attackers-wielding-darksword-threaten-ios-users/
https://www.securitylab.ru/news/570569.php
https://www.theregister.com/2026/03/18/darksword_exploit_kit_steals_iphone/
CISA Warns of Active Exploitation of Microsoft SharePoint vulnerability (CVE-2026-20963)
CVE-2026-20963, a remote code execution (RCE) vulnerability affecting Microsoft SharePoint, is currently under active exploitation. The US Cybersecurity and Infrastructure Security Agency (CISA) confirmed this by adding the flaw to its Known Exploited Vulnerabilities (KEV) catalog. This vulnerability, which Microsoft patched in January 2026, impacts Microsoft SharePoint Server Subscription Edition, Microsoft SharePoint Server 2019, and Microsoft SharePoint Enterprise Server 2016. It arises from the deserialization of untrusted data, enabling an unauthenticated attacker to execute arbitrary code remotely through a low-complexity, network-based attack without requiring user interaction. Despite Microsoft initially assessing it as "less likely" to be exploited, CISA has mandated that US federal civilian agencies address this flaw by March 21, 2026, and strongly advises all other organizations using SharePoint to apply the necessary updates due to the critical nature of SharePoint data and its role in corporate environments.
Severity: Critical
Threat Details and IOCs
| Malware: | DarkSword, GlassWorm, Interlock, Nefarious Mantis, NodeSnake, Warlock, X2anylock |
| CVEs: | CVE-2025-53770, CVE-2025-66376, CVE-2026-20963 |
| Technologies: | Microsoft SharePoint, Microsoft Windows Server, Zimbra Collaboration |
| Threat Actors: | EarthEstries, FamousSparrow, GhostEmperor, SaltTyphoon, Storm2603, UNC2286, Warlock |
| Attacker Countries: | China, Iran, North Korea, Russia |
| Victim Industries: | Cloud Infrastructure, Construction, Education, Energy, Financial, Financial Services, Government, Healthcare, Industrial Sector, Information Technology, Legal Services, Manufacturing, Retail, Technology Hardware |
| Victim Countries: | Germany, Russia, United States |
Mitigation Advice
- Apply the January 2026 Microsoft security update for CVE-2026-20963 to all identified SharePoint servers immediately.
- Initiate a vulnerability scan across the environment to identify all SharePoint servers vulnerable to CVE-2026-20963.
- On SharePoint servers, investigate the w3wp.exe process for any unusual child processes, such as cmd.exe, powershell.exe, or other unexpected binaries.
- Analyze firewall and network flow logs for any new or anomalous outbound connections originating from SharePoint server IP addresses.
- Review SharePoint ULS and IIS web server logs for suspicious requests, focusing on requests containing long, complex, or abnormally structured serialized data objects.
Compliance Best Practices
- Isolate SharePoint servers in a dedicated network segment or DMZ, with strict firewall rules that only allow necessary inbound and outbound traffic to and from specific sources and destinations.
- Conduct a full review of SharePoint service account and application pool identity permissions, ensuring they have the absolute minimum privileges required to function and cannot access non-essential systems or data.
- Review and strengthen the existing patch management policy to enforce shorter deployment timelines for critical, internet-facing systems like SharePoint.
- Deploy and configure a Web Application Firewall (WAF) in front of SharePoint servers with rules designed to detect and block deserialization attacks and other common web exploitation techniques.
- Ensure an Endpoint Detection and Response (EDR) solution is deployed on all SharePoint servers and tuned to alert on or block suspicious process creation from web server processes like w3wp.exe.
https://exploit-intel.com/vuln/CVE-2026-20963
https://securityonline.info/exploited-in-wild-cisa-kev-catalog-sharepoint-zimbra-vulnerabilities/
https://www.helpnetsecurity.com/2026/03/19/sharepoint-vulnerability-cve-2026-20963-exploited/
https://www.hendryadrian.com/cisa-warns-of-attacks-exploiting-recent-sharepoint-vulnerability/
https://www.theregister.com/2026/03/19/unknown_attackers_exploit_yet_another/
Ransomware Gang Exploits Cisco Flaw in Zero-Day Attacks Since January
The Interlock ransomware gang has been exploiting a maximum severity remote code execution (RCE) vulnerability, identified as CVE-2026-20131, in Cisco's Secure Firewall Management Center (FMC) software since late January 2026. This zero-day flaw allowed unauthenticated attackers to remotely execute arbitrary Java code as root on unpatched devices. Amazon's threat intelligence team reported that Interlock had been leveraging this vulnerability for over a month before Cisco publicly disclosed and patched it on March 4, 2026. The Interlock operation, which emerged in September 2024 and is linked to ClickFix and the NodeSnake remote access trojan, has claimed responsibility for attacks on entities such as DaVita, Kettering Health, the Texas Tech University System, and the city of Saint Paul, Minnesota, and has recently deployed a new malware strain called Slopoly. This incident follows several other Cisco zero-day vulnerabilities addressed earlier in the year, including flaws in AsyncOS, Unified Communications, and Catalyst SD-WAN.
Severity: Critical
Threat Details and IOCs
| Malware: | CORNFLAKE, Interlock, Interlock Extortion Group, Interlock RAT, Nefarious Mantis, NodeSnake, NodeSnakeRAT, .!NT3R10CK, Ransom.Interlock, Rhysida, Rhysida-0.1, Slopoly, WINDYTWIST |
| CVEs: | CVE-2025-61155, CVE-2026-20131 |
| Technologies: | Cisco Adaptive Security Appliance Software, Cisco Firepower Threat Defense Software, Cisco Secure Firewall Management Center, Cisco Secure Firewall Management Center Software, ConnectWise ScreenConnect, FreeBSD, HAProxy, Linux, Microsoft Active Directory Certificate Services (ADCS), Microsoft Windows, Microsoft Windows Server, Oracle Java |
| Threat Actors: | Interlock, NefariousMantis, Rhysida, VanillaTempest |
| Attacker Countries: | China |
| Attacker IPs: | 144.172.110.106, 144.172.94.59, 188.245.41.78, 195.201.21.34, 199.217.98.153, 199.217.99.121, 206.251.239.164, 23.95.182.59, 37.27.244.222, 89.46.237.33, 95.217.22.175 |
| Attacker Domains: | browser-updater.com, browser-updater.live, cherryberry.click, ebhmkoohccl45qesdbvrjqtyro2hmhkmh6vkyfyjjzfllm3ix72aqaid.onion, initialize-configs.com, kolonialeru.com, ms-global.first-update-server.com, ms-server-default.com, ms-sql-auth.com, os-update-server.com, os-update-server.live, os-update-server.org, os-update-server.top, pgjf3dfkamnprahggbw4yojyb7sot3no2glnbfwyzbzqbnaislpv52yd.onion, sclair.it.com |
| Attacker URLs: | http://pgjf3dfkamnprahggbw4yojyb7sot3no2glnbfwyzbzqbnaislpv52yd.onion/index.php?p=, https://github.com/p3Nt3st3r-sTAr/CVE-2026-20131-POC, https://github.com/sak110/CVE-2026-20131, https://github.com/Sushilsin/CVE-2026-20131, https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-20131, http://x2ol75zago3z2nrp7lnmbcwoq3okiexuwi456oe6jqurbprg6lljz3yd.onion/index.php?p=, hxxp://ebhmkoohccl45qesdbvrjqtyro2hmhkmh6vkyfyjjzfllm3ix72aqaid.onion/chat.php |
| Attacker Hashes: | 6c8efbcef3af80a574cb2aa2224c145bb2e37c2f3d3f091571708288ceb22d5f, bf70fb955bf138a71be3018a6a03c347, d1caa376cb45b6a1eb3a45c5633c5ef75f7466b8601ed72c8022a8b3f6c1f3be |
| Victim Industries: | Architecture, Cloud Infrastructure, Construction, Design Services, Education, Engineering, Facilities Services, Government, Healthcare, Information Technology, Manufacturing, Public Administration, Public Sector, Technology Hardware, Telecommunications |
| Victim Countries: | United Kingdom, United States |
Mitigation Advice
- Immediately apply the security update for Cisco Secure Firewall Management Center (FMC) software to patch vulnerability CVE-2026-20131.
- Hunt for indicators of compromise by reviewing network logs for unusual activity related to the Cisco Secure Firewall Management Center (FMC) web interface, starting from January 26, 2026, to the present.
Compliance Best Practices
- Implement and enforce a network security policy to ensure that all device management interfaces, including the Cisco FMC, are isolated from the public internet and only accessible from a trusted, internal management network.
- Regularly test the organization's data backup and disaster recovery procedures to ensure a timely and complete restoration of critical systems in the event of a successful ransomware attack.
- Develop and implement a formal vulnerability management program that includes rapid risk assessment and defined service-level agreements (SLAs) for patching critical, internet-facing infrastructure.
- Subscribe to and integrate a reputable threat intelligence feed into security monitoring tools and operational workflows to enable proactive threat hunting for newly discovered exploits.
https://exploit-intel.com/vuln/CVE-2026-20131
https://gbhackers.com/cisco-firewall-zero-day-actively-exploited/
https://securityonline.info/exploited-in-wild-interlock-ransomware-cisco-zero-day-cve-2026-20131/
https://thecyberexpress.com/interlock-fmc-cve-2026-20131/
https://thehackernews.com/2026/03/interlock-ransomware-exploits-cisco-fmc.html
https://www.hendryadrian.com/interlock-ransomware-leveraged-cisco-fmc-zero-day-36-days-before-patch/
https://www.hendryadrian.com/ransom-delta-manufacturing-mar-2026/
https://www.hendryadrian.com/ransom-elliott-lewis-mar-2026/
https://www.hendryadrian.com/ransom-wagon-mound-public-schools-mar-2026/
https://www.infosecurity-magazine.com/news/interlock-ransomware-exploit-cisco/
https://www.theregister.com/2026/03/18/amazon_cisco_firewall_0_day_ransomware/
Total Takeover: Critical 10.0 CVSS Path Traversal Flaw Hits Ubiquiti UniFi Networks
Ubiquiti has issued an urgent security advisory concerning two vulnerabilities within its UniFi Network Application ecosystem. The most severe, CVE-2026-22557, is a Path Traversal vulnerability rated 10.0 CVSS, allowing unauthenticated attackers to access and manipulate underlying system files without prior privileges or user interaction, potentially leading to full compromise of the management interface. The second, CVE-2026-22558, is a high-severity NoSQL Injection with a CVSS score of 7.7, which enables authenticated users to bypass security logic and escalate privileges to administrative levels. These vulnerabilities impact UniFi Network Application Official Release versions 10.1.85 and earlier, Release Candidate versions 10.2.93 and earlier, and UniFi Express (UX) versions 9.0.114 and earlier. Users are strongly advised to update to Official Release 10.1.89 or later, Release Candidate 10.2.97 or later, or UniFi Express (UX) firmware 4.0.13 (which includes Application 9.0.118) to mitigate these risks.
Severity: Critical
Threat Details and IOCs
| Malware: | AK47/X2ANYLOCK, Anylock, GoPix, Interlock, Moobot, Warlock |
| CVEs: | CVE-2026-22557, CVE-2026-22558 |
| Technologies: | Ubiquiti UniFi, Ubiquiti UniFi Express |
| Threat Actors: | APT28, FancyBear, ForestBlizzard, Sednit, Sofacy |
| Victim Industries: | Business Services, Chemical, Education, Hospitality, Information Technology, Manufacturing, Retail, Telecommunications |
| Victim Countries: | United States |
Mitigation Advice
- Update all Ubiquiti UniFi Network Application instances on the Official Release branch to version 10.1.89 or a more recent version.
- Update all Ubiquiti UniFi Network Application instances on the Release Candidate branch to version 10.2.97 or a more recent version.
- Update the firmware on all UniFi Express (UX) devices to version 4.0.13 or a more recent version.
- Use a vulnerability scanner or asset inventory system to identify all instances of Ubiquiti UniFi Network Application and UniFi Express devices on the network to confirm they are running a vulnerable version.
- Review system logs on UniFi controllers and firewall logs for unusual file access patterns, unexpected outbound connections, or access from untrusted IP addresses to hunt for signs of compromise related to CVE-2026-22557.
Compliance Best Practices
- Implement network segmentation to place the UniFi Network Application management interface on a dedicated, restricted management VLAN with strict firewall rules that only permit access from authorized administrator workstations.
- Establish and enforce a patch management policy that defines specific service-level agreements (SLAs) for identifying, testing, and deploying critical security updates for network infrastructure devices like UniFi controllers.
- Audit the service accounts for all network management platforms, including the UniFi Network Application, and configure them to run with the principle of least privilege to minimize the impact of a potential application compromise.
- Deploy a Web Application Firewall (WAF) in front of the UniFi Network Application and other web-based management interfaces, configured with rulesets to block common attack vectors like path traversal and injection attacks.
Russian Hackers Exploit Zimbra Flaw to Breach Ukrainian Maritime Agency
Russian state-backed hacker group APT28, also known as Fancy Bear, exploited a cross-site scripting (XSS) vulnerability, tracked as CVE-2025-66376, in Zimbra webmail software to target the State Hydrographic Service of Ukraine. This stealthy phishing campaign involved embedding malicious code directly within the HTML body of a single email, disguised as a routine internship inquiry, rather than utilizing malicious attachments or links. Upon opening the email in an active Zimbra session, the code silently executed in the victim's browser, enabling the attackers to harvest sensitive data including login credentials, session tokens, backup two-factor authentication codes, browser-stored passwords, and up to 90 days of mailbox data. This operation aligns with APT28's historical targeting of Ukrainian and Western government entities, with other Russian-linked groups also frequently exploiting Zimbra.
Severity: High
Threat Details and IOCs
| Malware: | BadPaw, MeowMeow, MeowMeowProgram.exe, SpyPress |
| CVEs: | CVE-2025-27915, CVE-2025-66376 |
| Technologies: | Zimbra Collaboration |
| Threat Actors: | APT28, APT29, BlueDelta, FancyBear, ForestBlizzard, FROZENLAKE, GruesomeLarch, IronTwilight, ITG05, PawnStorm, Sednit, Sofacy, SofacyGroup, Strontium, TA473, TAG70, UAC-0001, UAC-0114, UNC4907, WinterVivern |
| Attacker Countries: | Russia |
| Attacker IPs: | 193.29.58.37 |
| Attacker Emails: | spam_to_junk@proton.me |
| Attacker Domains: | d-...i.zimbrasoft.com.ua, ffrk.net, i.zimbrasoft.com.ua, js-26tik3egye4.i.zimbrasoft.com.ua, js-a-z0-9{12}.i.zimbrasoft.com.ua, js-l1wt597cimk.i.zimbrasoft.com.ua, zimbrasoft.com.ua |
| Attacker URLs: | /home/~/?fmt=tgz, /service/soap/, /v/d, /v/p |
| Attacker Hashes: | c010f64080b0b0997b362a8e6b9c618e, ea752b1651ad16bc6bf058c34d6ae795d0b4068c2f48fdd7858f3d4f7c516f37 |
| Victim Industries: | Cloud Infrastructure, Defense, Education, Financial Services, Government, Healthcare, Information Technology, Insurance, Logistics, Maritime, Public Sector |
| Victim Countries: | Ukraine, United States |
Mitigation Advice
- Immediately identify all Zimbra webmail servers in the environment and apply the vendor-supplied patches to mitigate the cross-site scripting vulnerability CVE-2025-66376.
- Scan all inbound and stored emails on the Zimbra server for HTML bodies containing suspicious CSS @import directives that point to external or non-standard domains.
- Analyze firewall, proxy, and DNS logs for unusual outbound connections originating from employee workstations to unknown URLs, particularly connections from web browser processes during times when users were accessing the Zimbra webmail client.
- Issue a security advisory to all employees warning them about a new type of phishing attack that executes from within the body of an email without requiring clicks on links or opening attachments. Instruct users to immediately report any unexpected or unusual emails, even if they appear harmless.
Compliance Best Practices
- Establish and maintain a formal vulnerability management program that includes regular automated scanning of all internet-facing systems, a defined process for prioritizing patches based on exploitability and threat intelligence, and enforceable service-level agreements (SLAs) for remediation.
- Update the corporate security awareness training program to include modules and phishing simulations that reflect modern, stealthy attack techniques, such as those with payloads embedded directly in email bodies.
- Implement a default-deny network egress filtering policy on firewalls and web proxies to block outbound traffic from user segments to all destinations except for explicitly approved business services and categories.
- Enforce phishing-resistant multi-factor authentication (MFA), such as FIDO2 or WebAuthn, for all user-facing applications, especially for externally accessible services like webmail, to mitigate the risk of credential and session theft.
- Conduct a strategic review of the organization's reliance on the Zimbra platform, comparing its security track record, support model, and total cost of ownership against alternative email and collaboration solutions.
