Helthydriver

Two days ago I had the pleasure of presenting our latest research at iVerify about #NSO #Pegasus BLASTPASS Exploit Chain at #BHASIA in Singapore. (#you-shall-not-pass---analysing-a-nso-ios-spyware-sample-37980" target="_blank" rel="nofollow noopener">blackhat.com/asia-24/briefi…) During the talk I presented how forensic analysis led to the discovery of the sample, the amount of steps

The lineup for our (free!) "Objective for the We" (#OFTW) v4 is out! 🔥 July 30–31st in Berlin, it will feature @Helthydriver @bellis1000 @Fox0x01 @osint_barbie @naehrdine @patrickwardle + more 🧠 Student or getting into 🍎-security? Apply to attend: objective-see.org/oftw/v4.html

Had a lot of fun reversing Coruna over the last couple weeks and decided it would be worth to write it all up before I forget - so enjoy :) littlelailo.github.io/writeups/corun…

@wtsdev iOS works differently. For a long time they only patched the latest OS. At some point in time they started also patching the previous major for 6 months after the new one was released in September. They also started back porting some ITW vulnerabilities sometimes.

Correct me if I'm wrong, but this is just... not true? Granted, I mainly research macOS, not iOS; but almost every single patch for bugs I've reported has been backported to earlier versions. Not sure if iOS works differently.

@Intelligencer41 @a_greenberg @WIRED Background Security Updates have nothing to do with it. And there was none released.

@a_greenberg @WIRED TA446's now spear-phishing iOS w/ leaked DarkSword, deploying MAYBEROBOT backdoor—unprecedented for them. Apple's Background Security push shields older devices from data grabs. Proofpoint.

Two weeks after the DarkSword iOS hacking tool was revealed, Apple is taking the rare step of pushing a security fix to older iOS 18 iPhones rather than just telling users to update to iOS 26, as it had previously done. (Which left millions vulnerable.) wired.com/story/apple-wi…

@a_greenberg @zeroxjf It’s about time. I also hope we’ll see patches for 15 - 17 and not just the remaining one for 18.

@zeroxjf On the two devices I am testing I get probably more like 80-90% reliability. Sometimes I need to restart the WebKit part - but that did the original exploit automatically. (Crashed the Process).

For all its notoriety, the DarkSword exploit chain has been extremely unreliable in testing. Repro successful maybe 10% of the time, if that. Test device, no personal data. 15 PM running 18.6.2

See you in Berlin🎉 Special thanks to @xnyhps and @_xpn_ , some of this work is based on their research. The vulnerabilities disclosed in this presentation can all lead to General TCC Bypasses. I think there are some fundamental issues in the way Apple designed these security mechanisms. If you test them one by one, they may look safe. But when you look at them together, you’ll find that many of them become weak points. Some of these attack surfaces are still exploitable right now, and may stay that way for a while. Honestly, I didn’t want to disclose them before, because there were still bugs to find in these attack surfaces. And even if Apple patches them in the future, I’m still pretty sure I can bypass the protections and get LPE again. But with the macOS bug bounty going down, spending time on local macOS bug hunting is worthless. So I’m shifting more of my focus to remote macOS bug hunting, iOS bug hunting, and Web3. That’s why I’m disclosing them now. @offensive_con #OffensiveCon26

@LIJI32 @ghidraninja D: Terrible idea. Btw. there is no jailbreak for it yet. And a full one will be hard to achieve. DarkSword itsefl did not care about jailbreaking at all.

@ghidraninja Option C: Keep your device so out of date nobody's ever going to generate symbols for it Option D: Use DarkSword to jailbreak your device, which will cause most malware to bail out during an attack

Option A: Upgrade iPhone to iOS26 and have to use liquid glass Option B: Get pwned by DarkSword malware I don't know which one is worse

@ghidraninja @ghidraninja I got you. You don’t have to go to 26. All bugs excpect the PAC Bypass have been fixed until 18.7.5. Why Apple did not backport the PAC Bypass - dunno. Kernel Exploits got patched first.

@oct0xor That aged quickly 😉 securelist.com/coruna-framewo… Good job on the analysis!

Amazing find by Google and iVerify, but a vulnerability isn’t a component. An exploit or implant may be a component, not the vulnerability itself. Both CVEs now have public implementations. I see no evidence of code reuse in the technical reports to support that attribution.

Use @IsMyPhoneHacked to detect and remediate DarkSword infection vimeo.com/1176404490 We recorded small demonstration of live DarkSword infection and detection. iVerify basic app is still free on appstore.

@blacktop__ How long are you staying?

SF is crazy. Was getting brekky at Sweet Maple and everyone around me (normal non-tech nerd) people were all talking about AI.

A new version of iPhone exploit kit DarkSword has been leaked on GitHub; iVerify co-founder Matthias Frielingsdorf says the exploits "will work out of the box" (TechCrunch) techcrunch.com/2026/03/23/som… #a260323p39" target="_blank" rel="nofollow noopener">techmeme.com/260323/p39#a26… 📥 Send tips! techmeme.com/contact

@gergely_kalman And I also think it’s not too much to ask from a trillion dollar company to spend 2 weeks of an engineers time to fix 5 year old OSs.^^

@Helthydriver Sure, I just said they didn't tell people to buy new phones, that's it. I was not following this any closer

No, they say upgrade iOS. Can't you people read?

@gergely_kalman Yes thats correct. But they also tell you iPhones are secure, jailbreaks don’t exists and attacks only happen to a few targeted people. I think it’s just important to read between the lines. And translate ;)

@gergely_kalman You are right support is way better, but ignoring these attacks and providing information only after public reporting should be called out. We haven’t seen any backports for 16/17 for DarkSword yet.

@Helthydriver Yeah, but smashing Apple for that is a tad unfair as the last supported device is iPhone 11 which is 7 years old now. That is significantly better than most androids for example. I'm also not an Apple fanboy, but this level of misinfo I could not tolerate

@gergely_kalman But I would have to check if any devices last OS is actually 13-14 or if all could update to 15

Erst "nur" für staatliche Spionage eingesetzt – jetzt in kriminellen Händen. Eine mächtige iPhone-Spyware zeigt gerade, wie das läuft. Wir warnen seit Jahren beim #Bundestrojaner. Sicherheitslücken haben keine Exklusivität. Sie stehen ALLEN offen. derstandard.at/story/30000003…