When it came about: Actively used in the wild since at least November 2025 by multiple actors (including suspected Russian group UNC6353 and commercial spyware vendors). Publicly disclosed March 18, 2026 by Google Threat Intelligence Group, iVerify, and Lookout in coordinated research. It was likely discussed/presented at RSAC 2026 (March 23–26, 2026).

iOS versions impacted: iOS 18.4 through 18.7 (variants tailored to specific sub-versions; estimated 100–270 million devices potentially affected at disclosure). Newer iOS 26.x and fully patched iOS 18.7.7+ are safe.

Current status (as of posting): Fully patched. Apple released fixes in iOS 26.3 (and earlier incremental updates) and issued a rare backport/expansion to iOS 18.7.7 (initial release March 24, 2026; wider automatic availability April 1, 2026) specifically to protect older iOS 18 devices still in use. The exploit kit was publicly leaked on GitHub ~March 23, 2026, increasing accessibility to lower-skilled actors, but updated devices are no longer vulnerable.

Is it a current threat? Only to unpatched devices on iOS 18.4–18.7. It is a real-world drive-by exploit: no user interaction beyond visiting a malicious or compromised website (e.g., watering-hole attacks on legitimate sites). Once triggered, it chains six vulnerabilities (Safari/WebKit RCE → sandbox escape → kernel privileges) for full compromise, quickly exfiltrates data (messages, credentials, crypto wallets, location, etc.), then self-cleans (“hit-and-run”). Post-leak, risk of broader use has risen, but patch adoption and Apple’s Safe Browsing blocks mitigate it for updated users.

The exploit is memory-resident with no reported file-based persistence (it cleans up after exfiltration). A reboot terminates processes and clears volatile memory, potentially stopping an active in-memory payload. However, it does not prevent successful exploitation if you visited a malicious site while vulnerable—any stolen data is already gone, and it is not a reliable mitigation or fix. Update immediately or enable Lockdown Mode.

Data exposure risk while infected (DarkSword exploit chain): Extremely high and broad. Once the drive-by exploit succeeded (via a single website visit on a vulnerable iOS 18.4–18.7 device), the payload achieved full kernel-level compromise. It then rapidly collected and exfiltrated a wide range of sensitive personal, communication, identity, location, and financial data — typically within seconds to a few minutes — before self-cleaning and exiting. No long-term persistence was observed, but the stolen data was sent to attacker-controlled servers over HTTPS and was permanently lost to the victim.

Key categories of data exposed (verified across Google GTIG, Lookout, and iVerify reports)

• Communications & Messaging: SMS/iMessage database, WhatsApp/Telegram message histories, call logs, emails, contacts.

• Credentials & Access: Device keychain (passwords, keys), saved Wi-Fi networks/passwords, Safari history/cookies, signed-in accounts, usernames/passwords.

• Personal & Media Content: Photos (including metadata, hidden photos, screenshots), iCloud Drive files, Notes database, Calendar database, Health data.

• Location & Device Info: Location history, SIM/cellular information, unique device/account identifiers, installed app list, device profiles.

• Financial Targets: Cryptocurrency wallets and exchange data (e.g., Coinbase, Binance, Ledger, MetaMask, and others) — indicating dual espionage/financial motives.

Additional capabilities in some variants included taking screenshots, recording audio via microphone, and downloading further files from the C2 server.

The “hit-and-run” design meant the exposure was quick and stealthy, with temporary staging files deleted afterward, leaving minimal forensic traces on the device.

A sophisticated phishing campaign, initially targeting Windows users, has shifted its focus to Mac users following the introduction of new anti-phishing defenses by Microsoft, Chrome, and Firefox. The attackers, using compromised websites and Windows.net infrastructure, continue to evolve their tactics, making Mac and Safari users prime targets. This highlights the adaptability of cybercriminals and the need for advanced security solutions.

to craft your setup
is to shape and maintain it
and yet grow to please

Often times, bad actors will try to impersonate well-known and trusted services such as RingCentral to spread malware, defraud, or steal personal information.

This practice is called phishing. In these all-too-common scenarios, users sometimes inadvertently click on a malicious link or an attached file. This often leads to downstream effects that aren’t obvious at the time, including the presence of keystroke logging malware on your computer. Your computer may become part of botnets, and you may fall victim to the collection, and often later resale, of user IDs and passwords.

While more people are becoming knowledgeable about phishing scams, the perpetrators also continue to evolve their methods. The targets, content, and malware associated with these emails change over time.

we’ve seen some phishing activity with fake emails that look like they are coming from RingCentral.  Here’s an example of what one might look like:

Here are some important tips for dealing with phishing emails, and for recognizing legitimate emails from RingCentral:

1. Be suspicious of emails telling you to take urgent action. Fraudsters use this approach to get you to act before you’ve checked whether the email is genuine.

2. Be cautious when opening links or any attachments to an email. Verify the attachment and make sure the link resolves to the correct domain prior to opening, as shown in the image.

3. Don’t respond to anyone asking for your RingCentral password – a RingCentral representative will never ask you for your password via email.

4. When in doubt about whether you’ve received a genuine message, you can always safely check your messages natively in the RingCentral mobileor desktop applications or within your RingCentral account page. You don’t have to click from an email to check your messages.

5. If you don’t want message attachments sent to you from RingCentral, our service supports disabling email attachments in your account settings.

Keep in mind that a text message notification from RingCentral will never contain any attachments.  Voice mail attachments from RingCentral will only be .mp3 files and fax attachments will only be PDF files. Ring Central also does not send multiple attachments in a single notification email.

Usual rules apply:

• be suspicious.

• role-over email address to confirm actual source email.

• do not open wierd attachement like .htm files.

Adware:MacOS/Glims

Detected by Microsoft Defender Antivirus [and Avast]

Aliases: No associated aliases

Summary

Microsoft Defender for Endpoint detects and removes this threat.

This threat arrives on macOS devices through various means, such as, but not limited to:

• Disguising itself as a legitimate app

• Being dropped by another malware

• Being launched by another file as malicious scripts

• Exploitation of a vulnerability

After it successfully installs and launches on the device, this threat might open your macOS devices to other threats.