Cyber Threat Brief — March 23 2026
⚠️ This report is AI-generated. Always validate findings.
Previous brief: Cyber Threat Brief — March 22 2026
Threat count: 1 qualifying update (DarkSword campaign — newly published IOCs and infostealer analysis)
1. DarkSword iOS Exploit Kit — GHOSTBLADE Infostealer Expansion
TL;DR: New IOC domains and GHOSTBLADE infostealer analysis published March 23 reveal data theft across 13 crypto platforms and messaging apps (iMessage, Telegram, WhatsApp); ~221M iPhones on iOS 18.4–18.6.2 remain vulnerable. CISA added three DarkSword Apple CVEs to KEV on March 20.
What’s New:
- BleepingComputer (March 23) details GHOSTBLADE targeting 13 crypto wallet platforms plus iMessage, Telegram, WhatsApp
- CISA added CVE-2025-31277, CVE-2025-43510, CVE-2025-43520 to KEV catalog (March 20)
- Five C2/delivery domains confirmed:
static.cdncounter[.]net,cdncounter[.]net,cdn.cdncounter[.]net,count.cdncounter[.]net,sqwas.shapelie[.]com - GTIG published YARA rules for GHOSTKNIFE and GHOSTSABER; GHOSTBLADE sample uploaded to VirusTotal
- ~221M iPhones (14.2% of active devices) on vulnerable iOS 18.4–18.6.2
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
static.cdncounter[.]net, cdncounter[.]net, cdn.cdncounter[.]net, count.cdncounter[.]net | C2 domain | T1071.001 | DNS / proxy / web gateway | Block and alert on resolution |
sqwas.shapelie[.]com | Delivery domain | T1189 | DNS / proxy / web gateway | Block and alert on resolution |
| CVE-2025-31277 (WebKit), CVE-2025-43529 (JSCore), CVE-2026-20700 (dyld PAC), CVE-2025-14174 (ANGLE), CVE-2025-43510 (kernel), CVE-2025-43520 (kernel) | Exploit chain CVEs | T1203, T1068 | MDM / asset inventory | Patch to iOS 26.3.1+; enable Lockdown Mode |
| GHOSTBLADE infostealer | Malware | T1005, T1555.003 | VirusTotal hash match | Deploy YARA rules; scan with MVT |
| GHOSTKNIFE / GHOSTSABER backdoors | Malware | T1113, T1123, T1041 | YARA (GTIG rules) | Deploy GTIG YARA rules to network sensors |
| iOS 18.4–18.7 devices | Vulnerable asset | — | MDM/UEM telemetry | Query fleet; enforce update compliance |
| Safari browser history / WebKit DBs on compromised devices | Forensic artifact | T1189 | MVT (Mobile Verification Toolkit) | Scan high-value users for IOC domains in browser artifacts |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No DarkSword/GHOST* family detection; mobile exploitation invisible to standard SIEM without MDM feed |
| Elastic | None | Same gap — no iOS exploit chain or JS-based mobile malware rules |
| Sigma | None | No coverage; GHOSTBLADE’s JS execution on iOS produces no traditional endpoint telemetry |
Sources: BleepingComputer DarkSword analysis, CISA KEV catalog, Google Threat Intelligence Group, Initial coverage → March 19 brief
Status Updates
- CVE-2026-20963 (Microsoft SharePoint): CISA deadline today — insecure deserialization RCE actively exploited since March 18; patch SharePoint Subscription/2019/2016 immediately. Full IOCs → March 19 brief.
- CVE-2026-21385 (Qualcomm Android): CISA deadline tomorrow (March 24) — CVSS 7.8 integer overflow affecting 235 chipsets, limited targeted exploitation confirmed; apply 2026-03-05 Android security patch level via MDM.
- CVE-2026-20127 (Cisco Catalyst SD-WAN): CISA emergency directive cloud log submission due today; UAT-8616 exploiting since 2023. IOCs → Cisco Talos UAT-8616 blog.