{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/exploit/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["ios","exploit","infostealer","darksword"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA new iOS exploit named \u0026ldquo;DarkSword\u0026rdquo; has been identified as being actively used in infostealer attacks against iPhones. While the specific details of the exploit remain limited in the provided source, its use signifies a significant threat to iOS users. The attackers are leveraging this exploit to potentially bypass security measures and gain unauthorized access to sensitive information stored on targeted devices. The lack of specific details regarding the exploit\u0026rsquo;s technical aspects and targeted iOS versions makes it challenging to implement precise detection and mitigation strategies. However, the active exploitation necessitates immediate attention and proactive measures to safeguard iOS devices from potential compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attack begins with an unknown initial access vector, potentially involving malicious links or app sideloading techniques, leading to the execution of the DarkSword exploit.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExploit Execution:\u003c/strong\u003e The DarkSword exploit is executed on the targeted iPhone, leveraging an unspecified vulnerability within the iOS operating system.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e Successful exploitation leads to privilege escalation, granting the attacker elevated permissions on the compromised device.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInfostealer Installation:\u003c/strong\u003e The attacker leverages the escalated privileges to install an infostealer payload onto the device.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Collection:\u003c/strong\u003e The infostealer malware collects sensitive data, including contacts, messages, photos, and potentially credentials stored on the iPhone.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Staging:\u003c/strong\u003e The collected data is staged for exfiltration, potentially compressed and encrypted to evade detection.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCommand and Control (C2) Communication:\u003c/strong\u003e The malware establishes a connection with a remote C2 server to receive further instructions and prepare for data exfiltration.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration:\u003c/strong\u003e The stolen data is exfiltrated from the compromised iPhone to the attacker\u0026rsquo;s C2 server via an encrypted channel.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of the DarkSword exploit and deployment of the infostealer can lead to severe consequences for iPhone users. Stolen data can be used for identity theft, financial fraud, or other malicious purposes. The potential compromise of sensitive information stored on iPhones makes this a high-priority threat, impacting potentially a large number of users depending on the scope of the campaign.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor network traffic for unusual outbound connections from iOS devices, which may indicate C2 communication (log source: network_connection).\u003c/li\u003e\n\u003cli\u003eImplement a Mobile Threat Defense (MTD) solution capable of detecting and blocking exploit attempts and malicious app installations on iOS devices.\u003c/li\u003e\n\u003cli\u003eEncourage users to avoid sideloading apps from untrusted sources, as this increases the risk of installing malware (awareness training).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect suspicious process execution patterns indicative of exploit activity (Sigma rule below).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-19T19:08:08Z","date_published":"2026-03-19T19:08:08Z","id":"/briefs/2026-03-darksword-ios-exploit/","summary":"A new exploit dubbed 'DarkSword' is being actively exploited in infostealer campaigns targeting iPhones, potentially leading to unauthorized data access and device compromise.","title":"DarkSword iOS Exploit Used in Infostealer Attack","url":"https://feed.craftedsignal.io/briefs/2026-03-darksword-ios-exploit/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["ios","exploit","webkit","darksword"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe DarkSword exploit chain is a recently identified threat targeting mobile devices running iOS 18 and earlier. This exploit chain leverages a vulnerability within the WebKit rendering engine, commonly used in Safari and other applications. While the specifics of the vulnerability are not detailed in this brief, its exploitation leads to arbitrary code execution within the context of the targeted application or the operating system itself. Multiple threat actors are now incorporating DarkSword into their attack playbooks. The adoption of this exploit by various actors signifies a growing risk to iOS users, potentially leading to data theft, device compromise, and other malicious activities. Defenders need to prioritize detection and mitigation strategies to protect against DarkSword.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe user visits a malicious website or opens a compromised application containing the DarkSword exploit.\u003c/li\u003e\n\u003cli\u003eThe WebKit engine attempts to render the malicious content, triggering the vulnerability.\u003c/li\u003e\n\u003cli\u003eThe exploit gains control of the WebKit process.\u003c/li\u003e\n\u003cli\u003eThe exploit escalates privileges to execute code outside the WebKit sandbox.\u003c/li\u003e\n\u003cli\u003eThe attacker downloads a second-stage payload (e.g., malware, spyware).\u003c/li\u003e\n\u003cli\u003eThe payload executes, establishing persistence on the device.\u003c/li\u003e\n\u003cli\u003eThe attacker performs malicious activities such as data exfiltration, credential theft, or remote control.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation via the DarkSword chain can result in full device compromise, allowing attackers to steal sensitive data such as contacts, messages, photos, and financial information. This can lead to identity theft, financial loss, and reputational damage for victims. Given the widespread use of iOS devices, a successful DarkSword campaign could affect millions of users across various sectors. The increasing adoption of this exploit chain by multiple threat actors indicates a heightened risk for iOS users.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor network traffic for connections originating from unexpected or sandboxed applications as a result of exploitation.\u003c/li\u003e\n\u003cli\u003eImplement the provided Sigma rule to detect the execution of suspicious processes spawned by Safari or WebKit processes.\u003c/li\u003e\n\u003cli\u003eInvestigate any suspicious network activity originating from mobile devices, especially connections to known malicious infrastructure.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-19T12:00:00Z","date_published":"2026-03-19T12:00:00Z","id":"/briefs/2026-03-darksword-ios/","summary":"The DarkSword exploit chain targets iOS versions 18 and under by exploiting a WebKit vulnerability, and is being adopted by multiple threat actors for initial access and execution.","title":"DarkSword iOS Exploit Chain Proliferation","url":"https://feed.craftedsignal.io/briefs/2026-03-darksword-ios/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["fortigate","vpn","cve-2023-27997","exploit","initial-access"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOn February 28, 2026, network intrusion detection systems (IDS) flagged suspicious activity indicative of a potential exploit targeting Fortigate VPN servers. The activity involves a series of repeated GET requests directed towards the \u003ccode\u003e/remote/logincheck\u003c/code\u003e endpoint, a known attack vector associated with CVE-2023-27997. This vulnerability allows unauthenticated attackers to execute arbitrary code via specially crafted requests. The observed traffic originates from the IPv6 address…\u003c/p\u003e\n","date_modified":"2026-02-28T00:46:45Z","date_published":"2026-02-28T00:46:45Z","id":"/briefs/2026-02-fortigate-vpn-cve-2023-27997/","summary":"IDS alerts indicate a potential exploitation attempt against a Fortigate VPN server using CVE-2023-27997, characterized by repeated GET requests to the /remote/logincheck endpoint originating from a specific IPv6 address.","title":"Fortigate VPN CVE-2023-27997 Exploitation Attempt","url":"https://feed.craftedsignal.io/briefs/2026-02-fortigate-vpn-cve-2023-27997/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["fortigate","vpn","cve-2023-27997","exploit","network"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOn February 26, 2026, network intrusion detection systems (IDS) triggered alerts related to potential exploitation attempts targeting Fortigate VPN servers. The alerts highlight suspicious network activity originating from multiple IP addresses, specifically repeated GET requests to the \u003ccode\u003e/remote/logincheck\u003c/code\u003e endpoint, a known vulnerability associated with CVE-2023-27997. This vulnerability could allow unauthorized access to the VPN. Additionally, an IPv4 address was observed using a suspicious…\u003c/p\u003e\n","date_modified":"2026-02-26T07:27:12Z","date_published":"2026-02-26T07:27:12Z","id":"/briefs/2026-02-fortigate-cve-2023-27997/","summary":"Multiple IDS alerts indicate potential exploitation attempts against Fortigate VPN servers using CVE-2023-27997, alongside traffic from a suspicious user agent, possibly indicating reconnaissance or exploit activity.","title":"Fortigate VPN Exploit Attempt via CVE-2023-27997 and Suspicious User-Agent","url":"https://feed.craftedsignal.io/briefs/2026-02-fortigate-cve-2023-27997/"}],"language":"en","title":"CraftedSignal Threat Feed — Exploit","version":"https://jsonfeed.org/version/1.1"}