DarkSword Unleashed: CISA Mandates Emergency Apple Patching
March 21, 2026 • 10 min read
Three critical vulnerabilities in iOS and macOS have been added to the Known Exploited Vulnerabilities catalog as the "DarkSword" spyware campaign intensifies.
On March 21, 2026, the **Cybersecurity and Infrastructure Security Agency (CISA)** issued an emergency update to its **Known Exploited Vulnerabilities (KEV) Catalog**. The agency added three high-severity flaws targeting Apple’s ecosystem: **CVE-2025-31277** (WebKit), **CVE-2025-43510** (Kernel), and **CVE-2025-43520** (Security Framework). These flaws form the core of the **"DarkSword" exploit chain**, a sophisticated spyware delivery mechanism currently being used by mercenary threat actors to target journalists and government officials globally. Under Binding Operational Directive (BOD) 22-01, federal agencies must remediate these flaws by April 4, though private sector organizations are urged to patch within 24 hours.
The DarkSword Chain: WebKit to Kernel
The "DarkSword" campaign is a masterclass in modern mobile exploitation. The chain typically begins with a **one-click WebKit exploit (CVE-2025-31277)** delivered via a malicious link in iMessage or WhatsApp. Once the victim’s browser is compromised, the attacker leverages a **kernel-level memory corruption flaw (CVE-2025-43510)** to bypass Apple’s sandbox protections. The final stage involves **CVE-2025-43520**, which allows the spyware to gain persistent, high-privilege access to the device’s microphone, camera, and encrypted message databases.
What makes DarkSword particularly dangerous is its ability to bypass **Lockdown Mode** in specific iOS 19.x configurations. While Lockdown Mode significantly reduces the attack surface, the attackers have found a novel path through the modernized Apple Security Framework's "Trusted Execution" modules, which were designed to improve security but inadvertently introduced a new race condition.
Mercerary Spyware in 2026
Security firm **Citizen Lab**, which co-reported the findings with Apple, notes that the DarkSword spyware appears to be a successor to earlier commercial tools like Pegasus. However, it features a new **"Volatile Payload"** architecture—the spyware exists primarily in the device's RAM and attempts to self-delete its binary footprint if it detects an active debugging session or a forensic audit. This makes traditional mobile forensics incredibly difficult, requiring real-time network monitoring to identify the exfiltration of data.
Secure Your Logs with ByteNotes
During a zero-day event, tracking your incident response is critical. Use **ByteNotes** to maintain secure, out-of-band logs of your device audits and patching status.
Remediation: Urgent Patching Required
Apple has released **iOS 19.4.1** and **macOS 16.3.2** to address these vulnerabilities. Security teams should prioritize the following actions:
- **Force Updates:** Use MDM (Mobile Device Management) to force-install the latest Apple security updates on all corporate devices.
- **Audit iMessage Logs:** Look for unusual URLs or short-links delivered via iMessage from unknown contacts over the last 30 days.
- **Enable Advanced Data Protection:** Ensure that end-to-end encryption for iCloud backups is enabled to prevent exfiltration from the cloud if the device is compromised.
- **Monitor Egress:** Watch for unusual HTTPS traffic to high-entropy domains, a hallmark of the DarkSword exfiltration engine.
Conclusion: The Perpetual Arms Race
The addition of the DarkSword vulnerabilities to the CISA KEV catalog is a reminder that the mobile security landscape remains a perpetual arms race. Even as Apple hardens its hardware and software, the economic incentives for state-sponsored and mercenary attackers remain immense. In 2026, "zero-day" is no longer a rare event but a weekly reality for enterprise security teams. The message from CISA is clear: patch today, or assume you are already sharing your data with the next generation of spyware.