DarkSword iOS exploit chain ๐Ÿ“ฑ, Russian APT espionage campaigns ๐ŸŽฏ, AI-generated malware ๐Ÿค–, SnappyClient stealer framework ๐Ÿ’€, critical vulnerabilities โš ๏ธ

Daily Threat Intel Digest - 2026-03-18

๐Ÿ”ด Critical Threats & Active Exploitation

[NEW] “DarkSword” iOS Exploit Chain Weaponized by Russian APTs and Commercial Vendors A sophisticated iOS exploit kit named “DarkSword” has been identified in active campaigns targeting users in Ukraine, Saudi Arabia, Turkey, and Malaysia, utilizing a chain of six zero-day vulnerabilities to fully compromise devices running iOS 18.4 through 18.7. Google Threat Intelligence Group attributes the usage to Russian espionage group UNC6353 (active in Ukraine), as well as commercial surveillance vendor PARS Defense (Turkey/Malaysia) and cluster UNC6748 (Saudi Arabia). The exploit chain deploys distinct payloads depending on the actor: GHOSTBLADE (an infostealer), GHOSTKNIFE (a modular backdoor), and GHOSTSABER (a JavaScript implant). Researchers observed distinct signs of Large Language Model (LLM) usage in the code generation of both the exploit chain and the payloads, lowering the barrier for sophisticated mobile espionage. All vulnerabilities were patched in iOS 26.3, but devices running older versions remain at high risk of credential theft, cryptocurrency wallet exfiltration, and device takeover. [Google Threat Intelligence; Lookout; iVerify; CyberScoop; BleepingComputer]

[NEW] SnappyClient C++ Framework Delivers Stealer Capabilities via HijackLoader A new C++-based command-and-control (C2) framework named SnappyClient has been spotted in the wild, delivered exclusively through the HijackLoader loader in campaigns targeting German-speaking users via fake Telefรณnica websites. SnappyClient features extensive capabilities including keylogging, screen capture, remote terminal access, and data theft from browsers and extensions, with a specific focus on stealing cryptocurrency wallets. The malware employs advanced evasion techniques such as AMSI bypasses, Heavenโ€™s Gate, direct system calls, and transacted hollowing to bypass security controls. It uses a custom ChaCha20-Poly1305 encrypted network protocol and sophisticated configuration decoding to communicate with its C2, making network detection difficult. [Zscaler]

[NEW] Boggy Serpens (MuddyWater) Deploys AI-Generated Malware The Iranian-linked cyberespionage group Boggy Serpens (MuddyWater) is escalating attacks against diplomats and critical infrastructure in the Middle East using new, custom malware families likely developed with the assistance of artificial intelligence. Recent campaigns target energy, maritime, and finance sectors using hijacked internal email accounts to distribute tailored lures. The new malware suite includes BlackBeard (a Rust-based backdoor), LampoRAT (disguised as antivirus), Nuso (HTTP backdoor), and UDPGangster (UDP-based backdoor). Researchers identified distinct markers in the codeโ€”such as the use of visual emojis for status reportingโ€”that strongly suggest the use of LLMs in the development process, validating the trend of AI-assisted malware creation observed in recent threat intelligence reporting. [CyberPress]

โš ๏ธ Vulnerabilities & Patches

[NEW] Critical Pre-Auth RCE in GNU Inetutils telnetd (CVE-2026-32746) A critical buffer overflow vulnerability (CVSS 9.8) in the GNU Inetutils telnetd daemon allows unauthenticated remote attackers to execute arbitrary code with root privileges via a specially crafted Telnet LINEMODE SLC negotiation packet. The flaw exists in versions up to 2.7 and is particularly dangerous for Operational Technology (OT) and Industrial Control Systems (ICS) that still rely on Telnet for management. Because the exploit occurs during the initial handshake before authentication, traditional logging mechanisms may fail to capture the attack. Security teams must disable Telnet immediately or strictly firewall TCP port 23 until patches are available. [CyberPress]

[NEW] Ubuntu Snapd Local Privilege Escalation (CVE-2026-3888) A high-severity local privilege escalation vulnerability affecting default installations of Ubuntu Desktop 24.04 and later allows low-privileged users to gain full root access. The flaw stems from a race condition between the snap-confine helper and systemd-tmpfiles, allowing an attacker to hijack Snap’s private temporary directory. By recreating the directory after cleanup by systemd-tmpfiles, an attacker can force snap-confine to bind-mount attacker-controlled files during Snap sandbox initialization, resulting in arbitrary code execution as root. Users are urged to update snapd to version 2.73+ or later immediately. [CyberPress]

[NEW] Apple Patches WebKit SOP Bypass (CVE-2026-20643) via Rapid Security Response Apple has released a “Background Security Improvement” to patch a critical cross-origin vulnerability in the WebKit Navigation API (CVE-2026-20643) that could allow malicious websites to bypass the Same Origin Policy (SOP) and access data from other sites. While there is no evidence of active exploitation yet, the vulnerability affects the core security boundary of Safari on iOS, iPadOS, and macOS. This update marks a significant deployment of Apple’s new mechanism to ship critical security patches between full OS releases without requiring a device restart. Organizations should ensure “Background Security Improvements” are enabled in Privacy & Security settings to receive these protections automatically. [CyberPress; SOC Prime; Malwarebytes]