A recent demonstration by security researcher @matteyeux showed successful kernel read and write access on an iPad mini 6 running iOS 18.6.2 using the DarkSword exploit. This public validation shows that the exploit remains effective in real-world conditions and increases the risk for millions of Apple devices that have not yet been patched.

Google Threat Intelligence Group reportedly first observed DarkSword in active campaigns in November 2025. The exploit kit has been mainly linked to UNC6353, a suspected Russian espionage group that previously used the Coruna iOS exploit kit. Reported targets have included victims in Ukraine, Saudi Arabia, Turkey, and Malaysia, showing that the threat has already been used in focused international operations.

Technical Structure and Post-Compromise Activity

DarkSword is not just a single exploit but a complete exploit kit and infostealer written in JavaScript. The attack typically begins when a victim visits a compromised website containing a malicious iframe, a method commonly associated with watering hole attacks.

Once the target opens the page, the exploit escapes Safari’s WebContent sandbox. It then bypasses important Apple protections, including Trusted Path Read-Only and Pointer Authentication Codes, by abusing sensitive internal dyld structures in writable stack memory. The chain then moves through the GPU process by exploiting an out-of-bounds write flaw in the ANGLE graphics engine before targeting the XNU kernel through a Copy-On-Write vulnerability in the AppleM2ScalerCSCDriver driver.

This gives attackers arbitrary memory read and write access, allowing them to modify sandbox restrictions and reach protected parts of the file system. Researchers also found that DarkSword operates fully in memory and quickly loads final-stage malware after compromise. Three malware families linked to the activity have been identified as GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER. These payloads are designed to steal sensitive data, including secure messages, saved credentials, and cryptocurrency wallet information.

Security Response and Protection Measures

The public validation of DarkSword by independent researchers significantly increases the overall threat level. Once a working exploit chain becomes accessible beyond its original operators, the chances of wider abuse rise sharply.

The command-and-control infrastructure used in these operations adds to the concern. Instead of using obvious malicious domains, attackers relied on subdomains created on compromised legitimate websites, helping their traffic blend in and making detection harder.

To reduce risk, Apple users and enterprise security teams should ensure that all devices are updated immediately to iOS 26.1 or later, as these versions include fixes for the kernel vulnerabilities involved in the exploit chain. For high-risk users such as journalists, executives, and government personnel, enabling Apple’s Lockdown Mode can provide an additional layer of defense against advanced web-based attacks.

‍Follow Us on:Linkedin, Instagram, Facebook to get the latest security news!

The post DarkSword iOS Exploit Leaked Online, Putting Apple Devices at Risk appeared first on First Hackers News.

This method is more dangerous because it uses real security features, like two-factor authentication, against the victim.

How the Phishing Email Looks Legitimate

The attack starts with an email that looks like it was sent by Apple. The message includes official logos, proper formatting, and a clean, professional layout. There are no obvious spelling mistakes or broken designs, which makes it harder to identify as fake.

The subject line is written to create fear and urgency. It usually mentions a costly purchase, such as a MacBook, expensive device, or large gift card transaction. The email claims the transaction has been blocked for security reasons.

Instead of providing a suspicious link, the message tells the user they must verify their identity to prevent account suspension.

The Phone Number Trick (Vishing Stage)

A key difference in this campaign is that victims are told to call a “Billing & Fraud Prevention” phone number. Some emails even claim that a fraud review “appointment” has already been scheduled.

This step is designed to build trust. Many people feel safer calling a number than clicking a link, which is exactly what the attackers want.

When the victim calls, they are connected to a scammer pretending to be an Apple support agent.

The fake support agent follows a prepared script. They speak calmly and professionally. They may confirm basic details like the victim’s name, email, or device type to sound convincing.

The goal here is psychological — the attacker wants the victim to believe they are dealing with a real security team trying to stop fraud.

How the Account Takeover Happens

Once trust is built, the technical part of the attack begins. The scammer attempts to sign in to the victim’s Apple ID on their own device. This triggers a real two-factor authentication (2FA) code sent to the victim’s phone.

The scammer then asks the victim to read the code aloud. They claim it is required to “verify the account,” “cancel the transaction,” or “stop the fraud.” Research highlighted by Malwarebytes shows this tactic is becoming more common.

‍Follow Us on: Linkedin, Instagram, Facebook to get the latest security news!

If the victim shares the code, they unknowingly give the attacker full access to their account.

With control of the account, scammers can misuse stored payment methods, access digital wallet data, or even lock users out of their own devices. Because the login process used real security steps, victims may not realize they helped the attacker themselves.

Key Warning Signs

• Emails creating urgency about expensive purchases you did not make
• Messages asking you to call a number instead of using official channels
• Anyone asking for your password or verification code

How to Stay Safe

Always verify alerts directly through official apps or websites, not through numbers or links in emails. Never share one-time verification codes with anyone — legitimate support teams will never ask for them.

If you believe you were targeted, immediately change your password, sign out of other sessions, and contact your bank about suspicious activity.

The post Apple Pay Users Hit by Phishing Scam Designed to Harvest Payment Data appeared first on First Hackers News.

Why? Because web applications are under constant threat from cyberattacks that can exploit vulnerabilities to steal data, disrupt operations, or harm your reputation.

With server costs and expenses for security and operational tools adding up quickly, finding a cost-effective solution is crucial. That’s where SafeLine steps in – a free yet powerful WAF that delivers strong protection without adding to your financial burden.

Meet SafeLine: GitHub’s Most Starred WAF Project of 2025

SafeLine saw a surge in popularity on GitHub in 2025, earning an impressive 17.5k stars—making it the most starred WAF project of the year.

With over 400,000 instances deployed globally, SafeLine is trusted by a wide range of users, from enterprises and educational institutions to government agencies and individual enthusiasts.

Created by Chaitin Tech, SafeLine is a next-generation web application firewall built for powerful security, simple deployment, and user-friendly management. Its community-driven nature fuels ongoing innovation and ensures it stays ahead of evolving threats.

SafeLine’s Zero Trust Capability: Free, Identity-Based Security

One of SafeLine’s standout features is its integrated Zero Trust security model, allowing organizations to protect their web applications with both advanced firewall capabilities and identity – based access controls-completely free of charge.

Based on the core principle of “never trust, always verify,” Zero Trust ensures that every user or device attempting to access an application is thoroughly authenticated. SafeLine makes this easy by including robust identity verification features such as Single Sign-On (SSO) and two-factor authentication (2FA).

Beyond standard username and password logins, SafeLine supports third-party authentication methods including GitHub, OIDC, and LDAP – giving organizations flexibility in how they manage access. The authentication page is also fully customizable, enabling teams to create a branded, seamless login experience.

By combining comprehensive WAF protection with Zero Trust identity enforcement, SafeLine ensures that only verified users can access sensitive web services – significantly strengthening your security posture without the cost of additional tools.

Why Choose SafeLine Among Many WAF Options?

While many WAF solutions exist, they often come with limitations. Here’s how SafeLine overcomes common challenges:

• Low False Positives/Negatives
  
  Traditional WAFs often rely on static signature or rule-based detection methods – an approach that can lead to false positives (blocking legitimate traffic) or false negatives (missing new, evolving threats).
  
  SafeLine takes a smarter approach with Chaitin Tech’s proprietary semantic analysis engine. Instead of just matching patterns, it analyzes the syntax and semantics of incoming traffic in real time. This enables SafeLine to detect zero-day exploits, novel attack techniques, and obfuscated threats that typically bypass rule-based systems.
  
  By understanding the intent behind traffic – not just its structure – SafeLine dramatically reduces false alarms while closing detection gaps.
  
  What’s more, its detection engine adapts and improves continuously, learning from new data and emerging threats to stay ahead of attackers. This makes SafeLine exceptionally difficult to bypass, delivering intelligent, proactive protection against even the most advanced cyber threats.

• Simple Installation and Configuration
  
  Unlike many WAFs that come with steep learning curves and complex configuration requirements, SafeLine is built for simplicity and ease of use. It’s designed so that even users with limited technical experience can get up and running quickly—no specialized knowledge required.
  
  Installation is streamlined into a single command, eliminating the need for time-consuming manual steps or intricate system setups:
  
  bash -c “$(curl -fsSLk https://waf.chaitin.com/release/latest/manager.sh)” -- --en
  
  With SafeLine, deploying powerful web application protection is as easy as copy-paste—making enterprise-grade security accessible to everyone, from individual developers to large IT teams.
  
  Full Installation Guide

After installation, SafeLine offers a clean, intuitive web-based interface that makes managing your web application firewall simple and accessible – no scripting or command-line expertise required.

Whether you’re configuring security policies, monitoring real-time traffic, or fine-tuning protection levels, everything is handled through straightforward menus and easy-to-use controls.

This streamlined experience drastically reduces the learning curve, allowing individuals and organizations – regardless of technical background – to quickly deploy and manage robust web application security with confidence and efficiency.

• Resistant to Evasion Attacks
  
  Attackers frequently try to evade WAF defenses by exploiting new protocols or using sophisticated evasion tactics. SafeLine’s semantic engine counters this by focusing on the intent behind each request, not just matching known signatures—making it much harder for attackers to slip through unnoticed.

• Scalable and High-Performance
  
  Many WAFs struggle with performance slowdowns under heavy traffic, but SafeLine tackles this with multi-node configuration synchronization. This feature lets organizations effortlessly set up load balancing and failover systems.
  
  By deploying multiple SafeLine nodes, incoming traffic is evenly distributed across servers, preventing bottlenecks and ensuring smooth, responsive performance.
  
  This approach not only boosts application speed but also improves overall system reliability. If one node fails or goes offline, traffic automatically redirects to healthy nodes – keeping user access uninterrupted.
  
  All nodes stay synchronized with the latest security policies and configuration updates, ensuring consistent protection across the entire network.
  
  SafeLine makes building a resilient, high-availability environment straightforward – even for teams without deep infrastructure expertise.

• Advanced Bot and Automated Threat Defense
  
  As AI technologies empower attackers with increasingly sophisticated tools, handling malicious bots and automated threats has become more critical than ever.
  
  SafeLine tackles this challenge head-on by integrating Chaitin Tech’s proprietary IP threat intelligence database, which continuously updates a global repository of known malicious IPs and emerging threats. This enables SafeLine to proactively detect and block suspicious traffic before it can do any damage.
  
  In addition to threat intelligence, SafeLine features powerful, highly customizable anti-bot challenge mechanisms that let organizations fine-tune defenses based on their specific traffic patterns and security needs.
  
  To further strengthen protection, SafeLine employs advanced HTML and JavaScript dynamic encryption techniques – making it extremely difficult for sophisticated botnets to analyze, evade, or manipulate security controls.
  
  Together, these technologies provide a robust shield against the growing threat of automated attacks and malicious bots.

Licensing Options Tailored for Every User

SafeLine offers transparent and flexible licensing to accommodate all users:

• Personal Edition (Free):
  
  No registration or credit card required. Install with just one command and start protecting your applications right away – ideal for individuals, developers, and small projects.

• Lite Edition:
  
  Supports up to 20 applications (compared to 10 in the Personal Edition), offers advanced features beyond the free tier, and is designed specifically for small businesses and homelabs – all at an affordable price of just $10 per month.

• Pro Edition:
  
  Built to serve organizations of all sizes, this edition delivers a complete set of advanced features. Available through flexible monthly or annual subscriptions with no hidden fees, it’s the perfect choice for enterprises seeking comprehensive, reliable protection.

The post Meet SafeLine: The Future of Free Zero Trust Web Security in 2026 appeared first on First Hackers News.