CISA Orders Federal Agencies to Patch Critical iOS Flaws Exploited by Attackers

Post Views: 15

CISA Orders Feds to Patch DarkSword iOS Flaws Exploited in Attacks

The US government’s Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal civilian executive branch agencies to patch three iOS vulnerabilities that were recently targeted in cryptocurrency theft and cyberespionage attacks using the DarkSword exploit kit.

According to CISA Director Jen Easterly, “These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.”

DarkSword Exploit Kit Overview

Exploits a chain of six vulnerabilities:
CVE-2025-31277
CVE-2025-43529
CVE-2026-20700
CVE-2025-14174
CVE-2025-43510
CVE-2025-43520

Attack Details

Researchers have linked DarkSword to multiple threat groups, including UNC6748, a client of Turkish commercial surveillance vendor PARS Defense, and a suspected Russian espionage group tracked as UNC6353. In these attacks, researchers observed three distinct information-stealing malware families being dropped onto victims’ devices:

GhostBlade, a highly aggressive JavaScript infostealer
GhostKnife, a backdoor that can exfiltrate large amounts of data
GhostSaber, a JavaScript that executes code and steals user data

Government Response

CISA has added three of the six DarkSword vulnerabilities (CVE-2025-31277, CVE-2025-43510, and CVE-2025-43520) to its catalog of actively exploited security flaws, instructing federal agencies to secure their devices within two weeks by April 3, as mandated by Binding Operational Directive (BOD) 22-01.

“Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable,” CISA cautioned.

Private Sector Guidance

Although BOD 22-01 applies only to federal agencies, CISA advised all defenders, including those working for private sector companies, to prioritize securing their devices against these flaws as soon as possible.

Mobility security company Lookout, which discovered DarkSword during an investigation into the Coruna attacks, believes it is used in cyber-espionage campaigns aligned with Russian intelligence needs and by a Russian threat actor with financial goals.

CISA has instructed all organizations to patch these vulnerabilities as soon as possible, citing the risk they pose to the federal enterprise and the potential for malicious cyberactors to exploit them.