DarkSword is a JavaScript-based full-chain iOS exploit kit targeting iPhones running iOS 18.4 through 18.7. It chains six vulnerabilities, three of which were zero-days, to achieve full device compromise. It was disclosed on March 18, 2026 by Lookout, Google GTIG, and iVerify in a coordinated publication.

Did DarkSword use AI or LLM-generated code?

Lookout identified indicators suggesting LLM assistance was used in the creation of at least some of DarkSword's implant code. The specific indicators include emoji markers in code headings, numerous explanatory comments, log messages, and unobfuscated JavaScript. Lookout uses qualifying language such as 'suggests' and 'appears probable,' and notes that the code may have been added before the operator acquired the toolkit. Google GTIG and iVerify did not make any LLM claims in their published reports.

Is DarkSword the first malware to use LLM-assisted code?

No. Prior documented cases include PROMPTSTEAL, PROMPTFLUX, and samples analyzed by Netskope and Palo Alto Unit 42. However, all prior cases were either experimental, desktop-only, limited in scale, or assessed as operationally ineffective. DarkSword is the first documented case where researchers identified LLM-assistance indicators in a mass-deployed, professional-grade mobile exploit kit affecting potentially hundreds of millions of devices.

How many devices are affected by DarkSword?

iVerify estimated that approximately 14.2% of active iPhones (around 221 million devices) running iOS 18.4 through 18.6.2 are vulnerable. If all iOS 18 versions are considered, the figure rises to approximately 270 million devices. These figures measure the blast radius of the exploit chain itself, not the LLM-assisted customization specifically.

Who is behind DarkSword?

Google GTIG identified three distinct threat actor groups using DarkSword: UNC6353 (suspected Russian, targeting Ukraine), UNC6748 (targeting Saudi Arabia), and PARS Defense (a Turkish commercial surveillance vendor, targeting Turkey and Malaysia). The developer of DarkSword appears to be a separate entity from these operators.

What CVEs does DarkSword exploit?

DarkSword chains six CVEs: CVE-2025-31277 and CVE-2025-43529 (JavaScriptCore memory corruption), CVE-2026-20700 (dyld PAC bypass), CVE-2025-14174 (ANGLE memory corruption), CVE-2025-43510 (kernel memory management), and CVE-2025-43520 (kernel memory corruption). Three of these were zero-days when first deployed.

How do I protect my iPhone from DarkSword?

Update to iOS 26.3.1 (latest) or iOS 18.7.6 at minimum. All six vulnerabilities exploited by DarkSword have been patched. High-risk users should enable Lockdown Mode. iVerify is offering its iVerify Basic app for free until May 2026 with DarkSword threat hunting capability.

What is the connection between DarkSword and Coruna?

DarkSword was discovered by Lookout while investigating Coruna's infrastructure. Both exploit kits were deployed by UNC6353 against Ukrainian targets and share command-and-control infrastructure. However, Rocky Cole of iVerify stated that DarkSword is 'an entirely separate kit made by entirely separate people.' CyberScoop and BleepingComputer reported that Lookout observed LLM usage in both kits.

Is the evidence that DarkSword used LLMs conclusive?

No. The evidence is circumstantial. Lookout identified indicators consistent with LLM-generated output: emoji markers, explanatory comments, unobfuscated code, and pattern analysis. These indicators are also consistent with code written by a junior developer or code that was not cleaned before deployment. Lookout explicitly offers an alternative explanation: the LLM-patterned code may have been added by the developer before the operator acquired the toolkit. No code fingerprinting, model attribution, or prompt artifact analysis has been published.

What is CyberStrikeAI?

CyberStrikeAI is an open-source AI-native offensive security platform written in Go. It integrates over 100 security tools with an AI orchestration engine that accepts any OpenAI-compatible model (GPT, Claude, DeepSeek, etc.) and chains reconnaissance, exploitation, and post-exploitation into conversational commands via MCP (Model Context Protocol).

How many FortiGate devices were compromised?

Amazon Threat Intelligence confirmed over 600 FortiGate devices were compromised across more than 55 countries between January 11 and February 18, 2026. Separately, Cyber and Ramen reported that CHECKER2 logs showed 2,500+ devices queued for scanning across 100+ countries, though these were targets queued for access attempts, not confirmed compromises.

Who built CyberStrikeAI?

CyberStrikeAI was built by a developer using the GitHub handle Ed1s0nZ. Team Cymru linked Ed1s0nZ to Knownsec 404 (which DomainTools documented as having ties to China's MSS and PLA) and to CNNVD, the vulnerability database operated by the 13th Bureau of China's Ministry of State Security.

Did the FortiGate campaign use zero-day exploits?

No. According to Amazon's report, no zero-day vulnerabilities were exploited. The entire campaign succeeded by targeting exposed management ports (TCP 443, 8443, 10443, 4443) and weak credentials with single-factor authentication.

What is the connection between CyberStrikeAI and ARXON or CHECKER2?

ARXON and CHECKER2 are separate tools found on the same server (212.11.64.250) that also ran CyberStrikeAI. ARXON is a custom MCP server the campaign operator built to bridge LLMs with operational infrastructure. CHECKER2 is a Go-based Docker orchestrator for parallel VPN scanning. Both were documented by independent researcher blog Cyber and Ramen, not by Amazon or Team Cymru.

How can I protect my FortiGate devices?

Disable internet-exposed management interfaces immediately. Enforce multi-factor authentication on all admin accounts. Patch to FortiOS 7.6.2, 7.4.7, 7.2.11, 7.0.17, or 6.4.16 minimum. Disable SSL-VPN if not operationally required. Disable FortiCloud SSO if not actively needed. Check for symlinks in SSL-VPN language file directories.

What AI models does CyberStrikeAI support?

CyberStrikeAI's AI engine accepts any OpenAI-compatible API endpoint. The default configuration ships with DeepSeek (deepseek-chat). The repository also references GPT-4o in its Quick Start guide and lists Claude (claude-3-opus) as a supported model in config comments. Operators can swap between providers by changing config.yaml.

Is CyberStrikeAI still available?

As of March 2026, the CyberStrikeAI repository remains publicly available on GitHub under the Ed1s0nZ account. Team Cymru tracked 21 unique IPs running the platform between January 20 and February 26, 2026, with adoption accelerating.

5 posts tagged with "AI Security"

AI application security research and vulnerability analysis

View All Tags

OpenAI Codex: How a Branch Name Stole GitHub Tokens

March 31, 2026 · 12 min read

Dhayabaran V

Barrack AI

BeyondTrust Phantom Labs disclosed a critical command injection vulnerability in OpenAI's Codex cloud environment on March 30, 2026. The vulnerability allowed attackers to steal GitHub OAuth tokens by injecting shell commands through a branch name parameter. A branch name. That is where the entire attack starts.

The flaw affected every Codex surface: the ChatGPT website, Codex CLI, Codex SDK, and the Codex IDE Extension. OpenAI classified it as Critical (Priority 1) and remediated all issues by February 5, 2026, following responsible disclosure that began December 16, 2025. No CVE has been assigned.

DarkSword and the LLM Question: What Every Outlet Mentioned but Nobody Wrote About

March 20, 2026 · 24 min read

Dhayabaran V

Barrack AI

On March 18, 2026, Lookout, Google's Threat Intelligence Group (GTIG), and iVerify published coordinated research disclosing DarkSword, a full-chain iOS exploit kit targeting iPhones running iOS 18.4 through 18.7. Within 48 hours, every major cybersecurity outlet covered the story. They covered the six CVEs, the three zero-days, the exploit chain walkthrough, the 270 million affected devices, the threat actor attribution, and the Coruna connection. But buried inside nearly every article was a finding that none of them turned into its own piece: indicators of LLM-assisted code inside a mass-deployed iOS exploit kit.

Your AI Copilot Is the Newest Attack Surface

March 11, 2026 · 15 min read

Dhayabaran V

Barrack AI

Four distinct security incidents in early 2026 prove that AI assistants have become viable, weaponizable attack vectors. Researchers demonstrated zero-click data exfiltration through Excel's Copilot Agent, full system compromise via Chrome's Gemini panel, session hijacking of Microsoft Copilot Personal, and 1Password vault takeover through Perplexity's agentic browser. Each exploits the same fundamental problem: AI agents inherit broad permissions and cannot reliably distinguish legitimate instructions from attacker-controlled content. The industry data confirms the gap: 83% of organizations plan to deploy agentic AI, but only 29% feel ready to secure it.

CyberStrikeAI: the AI Attack Platform Behind the 600+ FortiGate Breach

March 4, 2026 · 27 min read

Dhayabaran V

Barrack AI

An open-source AI-powered offensive security platform, built by a developer with documented ties to China's Ministry of State Security, has been linked to a live campaign that compromised over 600 FortiGate devices across 55 countries in five weeks. Three separate investigations -- by Amazon Threat Intelligence, Team Cymru, and independent researcher blog Cyber and Ramen -- have collectively exposed how CyberStrikeAI and custom attacker-built tooling enabled a single, low-skilled operator to breach enterprise network infrastructure at industrial scale.

Every AI App Data Breach Since January 2025: 20 Incidents, Same Root Causes

February 21, 2026 · 29 min read

Dhayabaran V

Barrack AI

Between January 2025 and February 2026, at least 20 documented security incidents exposed the personal data of tens of millions of users across AI-powered applications. Nearly every single one traces back to the same preventable root causes: misconfigured Firebase databases, missing Supabase Row Level Security, hardcoded API keys, and exposed cloud backends.

This is not a collection of isolated mistakes.

Three independent large-scale research projects, CovertLabs' Firehound scanning 198 iOS apps, Cybernews' audit of 38,630 Android AI apps, and Escape's analysis of 5,600 vibe-coded applications, all converge on the same conclusion: the AI app ecosystem has a systemic, structural security crisis. The rush to ship AI wrappers, chatbots, and "vibe-coded" products has outpaced even the most basic security practices, leaving hundreds of millions of user records readable by anyone with a browser.

What follows is every documented incident, research finding, and industry statistic. Sourced, dated, and cross-referenced.