Key Findings

• Apple expanded iOS 18.7.7 availability on April 1, 2026 to protect users from the DarkSword exploit kit, which targets iOS versions 18.4 through 18.7

• The update now covers iPhone XR through iPhone 16e and multiple iPad models, allowing users to patch vulnerabilities without upgrading to iOS 26

• DarkSword spreads through watering hole attacks on compromised legitimate websites and can deploy backdoors and data miners for persistent access

• Approximately 20% of users still run older iOS versions, leaving them exposed to the actively exploited vulnerability

• A working version of the exploit was leaked on GitHub, significantly lowering the barrier for less sophisticated attackers

Background

Apple's decision to backport security fixes to iOS 18 represents an unusual departure from its typical update strategy. The company initially released iOS 18.7.7 on March 24, 2026 for only a handful of older devices, but expanded it dramatically a week later. This shift reflects the severity of the DarkSword threat and mounting pressure from the security community to protect the estimated one-fifth of users who have not upgraded to iOS 26.

The DarkSword Exploit

Researchers from Google Threat Intelligence Group, iVerify, and Lookout publicly disclosed DarkSword in March 2026, though the vulnerability has been actively exploited since July 2025. The exploit kit targets devices running iOS 18.4 through 18.7 and spreads via watering hole attacks, where legitimate websites are compromised to host malicious code. Users need only visit the infected site to trigger the attack, with no installation or user interaction required beyond normal browsing.

Once deployed, DarkSword establishes persistent access through backdoors and executes data mining operations to harvest sensitive user information. The attack operates silently in the background, making detection difficult for average users.

Scope of the Threat

The DarkSword kit has been used in confirmed attacks against users in Saudi Arabia, Turkey, Malaysia, and Ukraine. Threat actors including the Russia-linked group COLDRIVER leveraged it to deliver additional malware such as the GHOSTBLADE data stealer to government agencies, think tanks, educational institutions, financial organizations, and legal firms.

The threat landscape widened significantly when a newer version of the exploit was leaked on GitHub, effectively democratizing access to the tool. Security experts warn this could trigger widespread adoption by additional threat actors with varying skill levels and motivations.

Apple's Expanded Response

The company is making iOS 18.7.7 available to iPhone XR, XS, XS Max, all iPhone 11 and newer models, and multiple iPad generations. Users with automatic updates enabled will receive the patch without action required. Those without auto-update have the option to install the patched iOS 18.7.7 or upgrade to iOS 26 entirely.

Apple began issuing Lock Screen notifications to devices running older iOS versions last week, alerting users to web-based attacks and encouraging them to install the latest updates.

Industry Perspective on Limitations

Security experts acknowledge Apple's backporting decision as a necessary response but caution it has inherent limitations. Rocky Cole from iVerify noted that many DarkSword components were zero-day vulnerabilities when first observed, meaning patches did not exist at the time of exploitation. By the time updates become available, attackers may have already accessed systems and extracted data.

Cole also highlighted that unlike other platforms, iOS lacks robust third-party security tools, placing the full burden of protection on Apple's built-in defenses. The decision to patch older versions reflects Apple's brand positioning around security and privacy, but represents a reactive rather than preventive approach to an increasingly active exploit market.

Sources

• https://thehackernews.com/2026/04/apple-expands-ios-1877-update-to-more.html

• https://hackread.com/apple-pushes-rare-ios-18-patch-darksword-exploit/

• https://www.bleepingcomputer.com/news/security/apple-expands-ios-18-updates-to-more-iphones-to-block-darksword-attacks/

• https://www.idropnews.com/news/apple-ios-18-darksword-patch-released/261854/

• https://www.instagram.com/p/DWmtj_fEsTi/