DarkSword iOS Exploit Kit — UNC6748 & PARS Defense Deploy Three Zero-Days Against iOS 18

DarkSword iOS Exploit Kit — UNC6748 & PARS Defense Deploy Three Zero-Days Against iOS 18

DarkSword iOS Exploit Kit: Three Zero-Days, Six Vulnerabilities, Full Device Takeover

Confidence: High

Google Threat Intelligence Group (GTIG), iVerify, and Lookout jointly disclosed on 19 March 2026 the existence of DarkSword — a JavaScript-based commercial iOS exploit kit that has been actively deployed since at least November 2025. DarkSword targets iOS 18.4 through 18.7 and chains six vulnerabilities to achieve full kernel-level read/write access, escaping the WebContent sandbox via the GPU process and before reaching the kernel.

• Three of the six exploited vulnerabilities are zero-days:
• CVE-2026-20700 — a PAC (Pointer Authentication Code) bypass in , enabling ASLR defeat
• CVE-2025-43529 — a type confusion in JavaScriptCore's DFG JIT compiler, enabling initial code execution
• CVE-2025-14174 — an out-of-bounds write in ANGLE's WebGL implementation, enabling sandbox escape

Post-exploitation, DarkSword deploys three distinct malware families depending on the targeting actor: GHOSTKNIFE (UNC6748, Saudi Arabia/Turkey/Malaysia — a backdoor); GHOSTSABER (PARS Defense, Turkey/Malaysia — a backdoor); and GHOSTBLADE (UNC6353, Ukraine — a dataminer focused on exfiltrating crypto wallet keys, credentials, and message content). All three components are designed for "hit-and-run" exfiltration, operating quickly and cleaning up to minimise forensic traces.

Devices on iOS 18.4–18.7 are currently fully exposed. Upgrade to iOS 26.3 is required to mitigate all three zero-days. Organisations managing iOS device fleets via MDM should treat unpatched devices as potentially compromised and initiate forced upgrade policies immediately.

GNU telnetd CVE-2026-32746: CVSS 9.8 Root RCE — No Patch, PoC Active

Confidence: High

Disclosed by Dream Security and now amplified with a public proof-of-concept exploit released on GitHub (18 March 2026), CVE-2026-32746 in GNU InetUtils telnetd is an unauthenticated out-of-bounds write in the LINEMODE SLC handler triggered before the login prompt is displayed. A single TCP connection to port 23 is sufficient to achieve root code execution. No patch exists; GNU has indicated a fix is expected by 1 April 2026.

The public PoC release creates an immediate window of exploitation risk for any internet-facing or network-adjacent telnetd instance. Threat actors do not require credentials or prior access. Organisations should audit port 23 exposure across their entire estate — cloud, on-premises, and embedded systems — and quarantine or decommission telnetd until patching is possible.

US Government Issues Formal MDM Hardening Advisory Following Stryker

Confidence: High

Following forensic confirmation that the Stryker incident was caused by abuse of a legitimate, compromised Microsoft Intune administrator account — which was used to issue mass "Wipe" commands across approximately 80,000 devices — US Government agencies have issued a formal advisory directing organisations to strengthen Microsoft Intune and MDM configurations. The advisory confirms MDM platforms as a viable destructive vector when administrator account integrity is not protected by phishing-resistant authentication.

Forensics establish that the compromised account was not newly created; it was a pre-existing legitimate admin account, making detection reliant on behavioural anomaly monitoring rather than identity creation signals. The advisory reflects the "Identity as Perimeter" threat model: when MFA is absent or phishing-susceptible, a single credential compromise can result in mass device destruction. Organisations should mandate FIDO2/hardware-key MFA for all Intune and MDM administrative accounts and implement mass-action thresholds and approval workflows for destructive commands such as Wipe and Reset.

Medusa/UMMC: $800K Ransom Deadline Falls Tomorrow — 20 March 2026

Confidence: Medium

The Medusa ransomware group's $800,000 extortion demand against the University of Mississippi Medical Center (UMMC) reaches its stated deadline of 20 March 2026 — tomorrow. UMMC's clinics were closed statewide following the February 19 attack. The demand figure and deadline are widely corroborated across threat intelligence feeds but have not been formally confirmed by UMMC. Healthcare and education organisations should monitor this case closely as it will likely establish a precedent for how Medusa handles healthcare targets that refuse to negotiate.

Why This Matters

DarkSword represents a qualitative escalation in the commercial exploit kit market: three concurrent iOS zero-days, coordinated deployment across four nation-state-linked threat actors, and cross-geography targeting spanning Saudi Arabia, Turkey, Malaysia, and Ukraine. The kit's "hit-and-run" exfiltration design — targeting crypto wallets, credentials, and message content — is optimised to operate below the detection threshold of mobile EDR tools.

The convergence of DarkSword's iOS threat with the formal US Government MDM hardening advisory creates a dual mobile security imperative: unpatched iOS devices are vulnerable to kernel compromise via the browser, whilst enterprise MDM platforms represent a destructive vector when administrator accounts are not protected by phishing-resistant authentication. Together, these findings confirm that mobile device security can no longer be treated as a secondary operational concern.

The Medusa/UMMC deadline tomorrow adds urgency for healthcare sector incident response teams.

• Recommended Actions
• iOS devices: Force-upgrade all managed iOS devices to iOS 26.3 immediately. Treat devices on iOS 18.4–18.7 that accessed untrusted web content since November 2025 as potentially compromised.
• MDM/Intune: Enforce FIDO2/hardware-key MFA for all Intune and high-privilege MDM administrator accounts. Implement approval workflows and alert thresholds for mass destructive actions (Wipe, Reset, Retire).
• GNU telnetd: Quarantine all port-23-exposed instances now. The public PoC means exploitation is accessible to low-sophistication actors. Do not wait for the April 1 patch.
• UMMC/Healthcare: Validate incident response readiness and offline backup integrity ahead of the Medusa deadline tomorrow.

All findings grounded in A13E intelligence sweeps through 10:03 UTC 19 March 2026.