Apple | Breaking Cybersecurity News | The Hacker News

Apple on Wednesday expanded the availability of iOS 18.7.7 and iPadOS 18.7.7 to a broader range of devices to protect users from the risk posed by a recently disclosed exploit kit known as DarkSword . "We enabled the availability of iOS 18.7.7 for more devices on April 1, 2026, so users with Automatic Updates turned on can automatically receive important security protections from web attacks called DarkSword," the company said. "The fixes associated with the DarkSword exploit first shipped in 2025." The update is available for the following devices - iPhone XR, iPhone XS, iPhone XS Max, iPhone 11 (all models), iPhone SE (2nd generation), iPhone 12 (all models), iPhone 13 (all models), iPhone SE (3rd generation), iPhone 14 (all models), iPhone 15 (all models), iPhone 16 (all models), and iPhone 16e iPad mini (5th generation - A17 Pro), iPad (7th generation - A16), iPad Air (3rd - 5th generation), iPad Air 11-inch (M2 - M3), iPad Air 13-...

Google on Monday said it's officially rolling out Android developer verification to all developers to combat the problem of bad actors distributing harmful apps while "hiding behind anonymity." The development comes ahead of a planned verification mandate that goes into effect in Brazil, Indonesia, Singapore, and Thailand this September, before it expands globally next year. As part of this effort, Google is requiring app developers who distribute apps outside of Google Play to create an account in the Android Developer Console to confirm their identity. Those who distribute apps through Android's official app marketplace and have verified their identity may be "already set," the tech giant said. "For the vast majority of users, the experience of installing apps will stay exactly the same," Matthew Forsythe, director of product management for Android App Safety, said . "It's only when a user tries to install an unregistered app that...

Proofpoint has disclosed details of a targeted email campaign in which threat actors with ties to Russia are leveraging the recently disclosed DarkSword exploit kit to target iOS devices. The activity has been attributed with high confidence to the Russian state-sponsored threat group known as TA446 , which is also tracked by the broader cybersecurity community under the monikers Callisto, COLDRIVER, and Star Blizzard (formerly SEABORGIUM). It's assessed to be affiliated with Russia's Federal Security Service (FSB). The hacking group is known for spear-phishing campaigns aimed at harvesting credentials from targets of interest. However, attacks mounted by the threat actor over the past year have targeted victims' WhatsApp accounts, as well as leveraged various custom malware families to steal sensitive data. The latest activity, highlighted by Proofpoint and Malfors , involves using fake "discussion invitation" emails spoofing the Atlantic Council to faci...

Apple is now sending Lock Screen notifications to iPhones and iPads running older versions of iOS and iPadOS to alert users of web-based attacks and urge them to install the update. The development was first reported by MacRumors. "Apple is aware of attacks targeting out-of-date iOS software, including the version on your iPhone. Install this critical update to protect your iPhone," the notification issued by Apple reads. The development comes a week after Apple released a support document, asking users running older versions of iOS and iPadOS to update their devices following the discovery of new iOS exploit kits like Coruna and DarkSword . Multiple threat actors of varied motivations have been found to leverage these kits over the past year to deliver malicious payloads when unsuspecting users visit a compromised website. While Coruna targets iOS versions between 13.0 and 17.2.1, DarkSword is designed to target iPhones running iOS versions between 18.4 and 18.7. A...

The kernel exploit for two security vulnerabilities used in the recently uncovered Apple iOS exploit kit known as Coruna is an updated version of the same exploit that was used in the Operation Triangulation campaign back in 2023, according to new findings from Kaspersky. "When Coruna was first reported, the public evidence wasn't sufficient to link its code to Triangulation — shared vulnerabilities alone don't prove shared authorship," Boris Larin, principal security researcher at Kaspersky GReAT, told The Hacker News in a statement. "Coruna is not a patchwork of public exploits; it is a continuously maintained evolution of the original Operation Triangulation framework. The inclusion of checks for recent processors like the M3 and newer iOS builds shows that the original developers have actively expanded this codebase. What began as a precision espionage tool is now deployed indiscriminately." Coruna was first documented by Google and iVerify earli...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added five security flaws impacting Apple, Craft CMS, and Laravel Livewire to its Known Exploited Vulnerabilities ( KEV ) catalog, urging federal agencies to patch them by April 3, 2026. The vulnerabilities that have come under exploitation are listed below - CVE-2025-31277 (CVSS score: 8.8) - A vulnerability in Apple WebKit that could result in memory corruption when processing maliciously crafted web content. (Fixed in July 2025) CVE-2025-43510 (CVSS score: 7.8) - A memory corruption vulnerability in Apple's kernel component that could allow a malicious application to cause unexpected changes in memory shared between processes. (Fixed in December 2025) CVE-2025-43520 (CVSS score: 8.8) - A memory corruption vulnerability in Apple's kernel component that could allow a malicious application to cause unexpected system termination or write kernel memory. (Fixed in December 2025) CVE-2025-32432 ...

Apple is urging users who are still running an outdated version of iOS to update their iPhones to secure against web-based attacks carried out via powerful exploit kits like Coruna and DarkSword . These attacks employ malicious web content to target out-of-date versions of iOS, triggering an infection chain that leads to the theft of sensitive data. "For example, if you're using an older version of iOS and were to click a malicious link or visit a compromised website, the data on your iPhone might be at risk of being stolen," Apple said in a support document. "We thoroughly investigated these issues as they were found and released software updates as quickly as possible for the most recent operating system versions to address vulnerabilities and disrupt such attacks."

Apple on Tuesday released its first round of Background Security Improvements to address a security flaw in WebKit that affects iOS, iPadOS, and macOS. The vulnerability, tracked as CVE-2026-20643 (CVSS score: N/A), has been described as a cross-origin issue in WebKit's Navigation API that could be exploited to bypass the same-origin policy when processing maliciously crafted web content. The flaw affects iOS 26.3.1, iPadOS 26.3.1, macOS 26.3.1, and macOS 26.3.2. It has been addressed with improved input validation in iOS 26.3.1 (a), iPadOS 26.3.1 (a), macOS 26.3.1 (a), and macOS 26.3.2 (a). Security researcher Thomas Espach has been credited with discovering and reporting the shortcoming. Apple notes that Background Security Improvements are meant for delivering lightweight security releases for components such as the Safari browser, WebKit framework stack, and other system libraries through smaller, ongoing security patches rather than issuing them as part of larger softwa...

Apple on Wednesday backported fixes for a security flaw in iOS, iPadOS, and macOS Sonoma to older versions after it was found to be used as part of the Coruna exploit kit . The vulnerability, tracked as CVE-2023-43010 , relates to an unspecified vulnerability in WebKit that could result in memory corruption when processing maliciously crafted web content. The iPhone maker said the issue was addressed with improved handling.  "This fix associated with the Coruna exploit kit was shipped in iOS 17.2 on December 11th, 2023," Apple said in an advisory. "This update brings that fix to devices that cannot update to the latest iOS version." Fixes for CVE-2023-43010 were originally released by Apple in the following versions - iOS 17.2 and iPadOS 17.2 macOS Sonoma 14.2 Safari 17.2 The latest round of fixes brings it to older versions of iOS and iPadOS - iOS 15.8.7 and iPadOS 15.8.7 - iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPa...

Google said it identified a "new and powerful" exploit kit dubbed Coruna (aka CryptoWaters) targeting Apple iPhone models running iOS versions between 13.0 and 17.2.1. The exploit kit featured five full iOS exploit chains and a total of 23 exploits, Google Threat Intelligence Group (GTIG) said. It's not effective against the latest version of iOS. The findings were first reported by WIRED. "The core technical value of this exploit kit lies in its comprehensive collection of iOS exploits, with the most advanced ones using non-public exploitation techniques and mitigation bypasses," according to GTIG. "The framework surrounding the exploit kit is extremely well engineered; the exploit pieces are all connected naturally and combined together using common utility and exploitation frameworks." The kit is said to have circulated among multiple threat actors since February 2025, moving from a commercial surveillance operation to a government-backed att...

Apple on Monday released a new developer beta of iOS and iPadOS with support for end-to-end encryption (E2EE) in Rich Communications Services ( RCS ) messages. The feature is currently available for testing in iOS and iPadOS 26.4 Beta, and is expected to be shipped to customers in a future update for iOS, iPadOS, macOS, and watchOS. "End-to-end encryption is in beta and is not available for all devices or carriers," Apple said in its release notes. "Conversations labeled as encrypted are encrypted end-to-end, so messages can't be read while they're sent between devices." The iPhone maker also pointed out that the availability of RCS encryption is limited to conversations between Apple devices, and not other platforms like Android. The secure messaging test arrives nearly a year after the GSM Association (GSMA) formally announced support for E2EE for safeguarding messages sent via the RCS protocol. E2EE for RCS‌ will require Apple to update to ‌RCS‌ Un...

Apple on Wednesday released iOS, iPadOS, macOS Tahoe, tvOS, watchOS, and visionOS updates to address a zero-day flaw that it said has been exploited in sophisticated cyber attacks. The vulnerability, tracked as CVE-2026-20700 (CVSS score: 7.8), has been described as a memory corruption issue in dyld, Apple's Dynamic Link Editor. Successful exploitation of the vulnerability could allow an attacker with memory write capability to execute arbitrary code on susceptible devices. Google Threat Analysis Group (TAG) has been credited with discovering and reporting the bug. "Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26," the company said in an advisory. "CVE-2025-14174 and CVE-2025-43529 were also issued in response to this report." It's worth noting that both CVE-2025-14174 and CVE-2025-43529 were addressed by Cupertino in Decembe...

Cybersecurity researchers have discovered a new variant of a macOS information stealer called MacSync that's delivered by means of a digitally signed, notarized Swift application masquerading as a messaging app installer to bypass Apple's Gatekeeper checks. "Unlike earlier MacSync Stealer variants that primarily rely on drag-to-terminal or ClickFix -style techniques, this sample adopts a more deceptive, hands-off approach," Jamf researcher Thijs Xhaflaire said . The Apple device management firm and security company said the latest version is distributed as a code-signed and notarized Swift application within a disk image (DMG) file named "zk-call-messenger-installer-3.9.2-lts.dmg" that's hosted on "zkcall[.]net/download." The fact that it's signed and notarized means it can be run without being blocked or flagged by built-in security controls like Gatekeeper or XProtect. Despite this, the installer has been found to display instructio...

Apple has been fined €98.6 million ($116 million) by Italy's antitrust authority after finding that the company's App Tracking Transparency (ATT) privacy framework restricted App Store competition. The Italian Competition Authority (Autorità Garante della Concorrenza e del Mercato, or AGCM) said the company's "absolute dominant position" in app distribution allowed it to "unilaterally impose" the ATT rules on third-party app developers, without consulting with them beforehand. The investigation was launched in May 2023. The AGCM said it's not calling into question Apple's decision to adopt safeguards designed to enhance users' privacy on iOS, but rather it's taking issue with the consent requirements that are excessively burdensome for developers and "disproportionate" to the stated objectives of ATT. Specifically, this requires developers to serve both ATT- and GDPR-related permission prompts in apps for iPhone and iPad ...

Apple on Friday released security updates for iOS, iPadOS, macOS, tvOS, watchOS, visionOS, and its Safari web browser to address two security flaws that it said have been exploited in the wild, one of which is the same flaw that was patched by Google in Chrome earlier this week. The vulnerabilities are listed below - CVE-2025-43529 (CVSS score: 8.8) - A use-after-free vulnerability in WebKit that may lead to arbitrary code execution when processing maliciously crafted web content CVE-2025-14174 (CVSS score: 8.8) - A memory corruption issue in WebKit that may lead to memory corruption when processing maliciously crafted web content Apple said it's aware that the shortcomings "may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26." It's worth noting that CVE-2025-14174 is the same vulnerability that Google issued patches for in its Chrome browser on December 10, 2025. It's been...

Google's artificial intelligence (AI)-powered cybersecurity agent called Big Sleep has been credited by Apple for discovering as many as five different security flaws in the WebKit component used in its Safari web browser that, if successfully exploited, could result in a browser crash or memory corruption. The list of vulnerabilities is as follows - CVE-2025-43429 - A buffer overflow vulnerability that may lead to an unexpected process crash when processing maliciously crafted web content (addressed through improved bounds checking) CVE-2025-43430 - An unspecified vulnerability that could result in an unexpected process crash when processing maliciously crafted web content (addressed through improved state management) CVE-2025-43431 & CVE-2025-43433 - Two unspecified vulnerabilities that may lead to memory corruption when processing maliciously crafted web content (addressed through improved memory handling) CVE-2025-43434 - A use-after-free vulnerability that may ...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added five security flaws to its Known Exploited Vulnerabilities ( KEV ) Catalog, officially confirming a recently disclosed vulnerability impacting Oracle E-Business Suite (EBS) has been weaponized in real-world attacks. The security defect in question is CVE-2025-61884 (CVSS score: 7.5), which has been described as a server-side request forgery (SSRF) vulnerability in the Runtime component of Oracle Configurator that could allow attackers unauthorized access to critical data. "This vulnerability is remotely exploitable without authentication," CISA said. CVE-2025-61884 is the second flaw in Oracle EBS to be actively exploited along with CVE-2025-61882 (CVSS score: 9.8), a critical bug that could permit unauthenticated attackers to execute arbitrary code on susceptible instances. Earlier this month, Google Threat Intelligence Group (GTIG) and Mandiant revealed dozens of organizations may hav...

Apple on Monday backported fixes for a recently patched security flaw that has been actively exploited in the wild. The vulnerability in question is CVE-2025-43300 (CVSS score: 8.8), an out-of-bounds write issue in the ImageIO component that could result in memory corruption when processing a malicious image file. "Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals," the company said. Since then, WhatsApp has acknowledged that a vulnerability in its messaging apps for Apple iOS and macOS (CVE-2025-55177, CVSS score: 5.4) had been chained with CVE-2025-43300 as part of highly-targeted spyware attacks aimed at less than 200 individuals. While the shortcoming was first addressed by the iPhone maker late last month with the release of iOS 18.6.2 and iPadOS 18.6.2, iPadOS 17.7.10, macOS Ventura 13.7.8, macOS Sonoma 14.7.8, and macOS Sequoia 15.6.1, it has also been released for the ...

Apple has notified users in France of a spyware campaign targeting their devices, according to the Computer Emergency Response Team of France (CERT-FR). The agency said the alerts were sent out on September 3, 2025, making it the fourth time this year that Apple has notified citizens in the county that at least one of the devices linked to their iCloud accounts may have been compromised as part of highly-targeted attacks. The agency did not share further details on what triggered these alerts. Previous threat notifications were sent on March 5, April 29 , and June 25. Apple has been sending these notices since November 2021. "These complex attacks target individuals for their status or function: journalists, lawyers, activists, politicians, senior officials, members of steering committees of strategic sectors, etc," CERT-FR said. The development comes less than a month after it emerged that a security flaw in WhatsApp ( CVE-2025-55177 , CVSS score: 5.4) was chained wi...

Cybersecurity researchers have discovered two new malware families, including a modular Apple macOS backdoor called CHILLYHELL and a Go-based remote access trojan (RAT) named ZynorRAT that can target both Windows and Linux systems. According to an analysis from Jamf Threat Labs, ChillyHell is written in C++ and is developed for Intel architectures. CHILLYHELL is the name assigned to a malware that's attributed to an uncategorized threat cluster dubbed UNC4487. The hacking group is assessed to have been active since at least October 2022. According to threat intelligence shared by Google Mandiant, UNC4487 is a suspected espionage actor that has been observed compromising the websites of Ukrainian government entities to redirect and socially engineer targets to execute Matanbuchus or CHILLYHELL malware. The Apple device management company said it discovered a new CHILLYHELL sample uploaded to the VirusTotal malware scanning platform on May 2, 2025. The artifact, notarized ...