https://feed.craftedsignal.io/tags/exploit/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioThu, 19 Mar 2026 19:08:08 +0000https://feed.craftedsignal.io/briefs/2026-03-darksword-ios-exploit/Thu, 19 Mar 2026 19:08:08 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-darksword-ios-exploit/A new exploit dubbed 'DarkSword' is being actively exploited in infostealer campaigns targeting iPhones, potentially leading to unauthorized data access and device compromise.A new iOS exploit named “DarkSword” has been identified as being actively used in infostealer attacks against iPhones. While the specific details of the exploit remain limited in the provided source, its use signifies a significant threat to iOS users. The attackers are leveraging this exploit to potentially bypass security measures and gain unauthorized access to sensitive information stored on targeted devices. The lack of specific details regarding the exploit’s technical aspects and targeted iOS versions makes it challenging to implement precise detection and mitigation strategies. However, the active exploitation necessitates immediate attention and proactive measures to safeguard iOS devices from potential compromise.

Attack Chain

1. Initial Access: The attack begins with an unknown initial access vector, potentially involving malicious links or app sideloading techniques, leading to the execution of the DarkSword exploit.
2. Exploit Execution: The DarkSword exploit is executed on the targeted iPhone, leveraging an unspecified vulnerability within the iOS operating system.
3. Privilege Escalation: Successful exploitation leads to privilege escalation, granting the attacker elevated permissions on the compromised device.
4. Infostealer Installation: The attacker leverages the escalated privileges to install an infostealer payload onto the device.
5. Data Collection: The infostealer malware collects sensitive data, including contacts, messages, photos, and potentially credentials stored on the iPhone.
6. Data Staging: The collected data is staged for exfiltration, potentially compressed and encrypted to evade detection.
7. Command and Control (C2) Communication: The malware establishes a connection with a remote C2 server to receive further instructions and prepare for data exfiltration.
8. Data Exfiltration: The stolen data is exfiltrated from the compromised iPhone to the attacker’s C2 server via an encrypted channel.

Impact

The successful exploitation of the DarkSword exploit and deployment of the infostealer can lead to severe consequences for iPhone users. Stolen data can be used for identity theft, financial fraud, or other malicious purposes. The potential compromise of sensitive information stored on iPhones makes this a high-priority threat, impacting potentially a large number of users depending on the scope of the campaign.

Recommendation

• Monitor network traffic for unusual outbound connections from iOS devices, which may indicate C2 communication (log source: network_connection).
• Implement a Mobile Threat Defense (MTD) solution capable of detecting and blocking exploit attempts and malicious app installations on iOS devices.
• Encourage users to avoid sideloading apps from untrusted sources, as this increases the risk of installing malware (awareness training).
• Deploy the Sigma rule to detect suspicious process execution patterns indicative of exploit activity (Sigma rule below).

]]>highadvisoryiosexploitinfostealerdarkswordhttps://feed.craftedsignal.io/briefs/2026-03-darksword-ios/Thu, 19 Mar 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-darksword-ios/The DarkSword exploit chain targets iOS versions 18 and under by exploiting a WebKit vulnerability, and is being adopted by multiple threat actors for initial access and execution.The DarkSword exploit chain is a recently identified threat targeting mobile devices running iOS 18 and earlier. This exploit chain leverages a vulnerability within the WebKit rendering engine, commonly used in Safari and other applications. While the specifics of the vulnerability are not detailed in this brief, its exploitation leads to arbitrary code execution within the context of the targeted application or the operating system itself. Multiple threat actors are now incorporating DarkSword into their attack playbooks. The adoption of this exploit by various actors signifies a growing risk to iOS users, potentially leading to data theft, device compromise, and other malicious activities. Defenders need to prioritize detection and mitigation strategies to protect against DarkSword.

Attack Chain

1. The user visits a malicious website or opens a compromised application containing the DarkSword exploit.
2. The WebKit engine attempts to render the malicious content, triggering the vulnerability.
3. The exploit gains control of the WebKit process.
4. The exploit escalates privileges to execute code outside the WebKit sandbox.
5. The attacker downloads a second-stage payload (e.g., malware, spyware).
6. The payload executes, establishing persistence on the device.
7. The attacker performs malicious activities such as data exfiltration, credential theft, or remote control.

Impact

Successful exploitation via the DarkSword chain can result in full device compromise, allowing attackers to steal sensitive data such as contacts, messages, photos, and financial information. This can lead to identity theft, financial loss, and reputational damage for victims. Given the widespread use of iOS devices, a successful DarkSword campaign could affect millions of users across various sectors. The increasing adoption of this exploit chain by multiple threat actors indicates a heightened risk for iOS users.

Recommendation

• Monitor network traffic for connections originating from unexpected or sandboxed applications as a result of exploitation.
• Implement the provided Sigma rule to detect the execution of suspicious processes spawned by Safari or WebKit processes.
• Investigate any suspicious network activity originating from mobile devices, especially connections to known malicious infrastructure.

]]>highadvisoryiosexploitwebkitdarkswordhttps://feed.craftedsignal.io/briefs/2026-02-fortigate-vpn-cve-2023-27997/Sat, 28 Feb 2026 00:46:45 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-02-fortigate-vpn-cve-2023-27997/IDS alerts indicate a potential exploitation attempt against a Fortigate VPN server using CVE-2023-27997, characterized by repeated GET requests to the /remote/logincheck endpoint originating from a specific IPv6 address.<p>On February 28, 2026, network intrusion detection systems (IDS) flagged suspicious activity indicative of a potential exploit targeting Fortigate VPN servers. The activity involves a series of repeated GET requests directed towards the <code>/remote/logincheck</code> endpoint, a known attack vector associated with CVE-2023-27997. This vulnerability allows unauthenticated attackers to execute arbitrary code via specially crafted requests. The observed traffic originates from the IPv6 address…</p> highadvisoryfortigatevpncve-2023-27997exploitinitial-accesshttps://feed.craftedsignal.io/briefs/2026-02-fortigate-cve-2023-27997/Thu, 26 Feb 2026 07:27:12 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-02-fortigate-cve-2023-27997/Multiple IDS alerts indicate potential exploitation attempts against Fortigate VPN servers using CVE-2023-27997, alongside traffic from a suspicious user agent, possibly indicating reconnaissance or exploit activity.<p>On February 26, 2026, network intrusion detection systems (IDS) triggered alerts related to potential exploitation attempts targeting Fortigate VPN servers. The alerts highlight suspicious network activity originating from multiple IP addresses, specifically repeated GET requests to the <code>/remote/logincheck</code> endpoint, a known vulnerability associated with CVE-2023-27997. This vulnerability could allow unauthorized access to the VPN. Additionally, an IPv4 address was observed using a suspicious…</p> highadvisoryfortigatevpncve-2023-27997exploitnetwork