Apple has taken the unusual step of broadening access to the iOS 18.7.7 and iPadOS 18.7.7 security update for a significantly larger range of devices. The move is a direct response to the DarkSword exploit kit, a powerful tool used in targeted cyber‑espionage campaigns that can silently compromise iPhones and iPads via normal web browsing.
Apple’s Expanded iOS 18.7.7 Security Update: What Changed and Why
On 1 April 2026, Apple extended the list of supported devices for iOS 18.7.7 and iPadOS 18.7.7 to include additional models that are technically capable of upgrading to iOS 26 but are still running the iOS 18 branch. Users with Automatic Updates enabled will receive the update automatically, gaining what Apple describes as “important protections against DarkSword‑related web attacks.”
The update originally shipped on 24 March 2026 and was initially limited to iPhone XS, iPhone XS Max, iPhone XR and iPad (7th generation). The expanded rollout now covers a much wider set of devices that, for various reasons, have not yet moved to the latest major iOS release but remain exposed to the same class of vulnerabilities.
Apple notes that the vulnerabilities exploited by DarkSword were first patched in 2025. However, a sizable portion of the user base did not adopt the latest major OS versions. Extending security backports to more hardware is therefore intended to reduce the number of unprotected devices without forcing an immediate upgrade to iOS 26.
How the DarkSword Exploit Kit Hacks iPhones and iPads
According to research by Google Threat Intelligence Group (GTIG), iVerify and Lookout, DarkSword has been used since at least July 2025 in campaigns targeting users in Saudi Arabia, Turkey, Malaysia and Ukraine. The exploit kit focuses on iOS and iPadOS versions 18.4 through 18.7, making it especially dangerous for devices that lag behind on updates.
DarkSword primarily leverages watering hole attacks. In this model, threat actors compromise legitimate, high‑traffic websites and inject malicious code into them. When a user with a vulnerable iPhone or iPad simply visits such a site, the exploit chain is triggered automatically. No phishing link, rogue app installation or user interaction beyond normal browsing is required.
Once the vulnerabilities are successfully exploited, DarkSword deploys a backdoor and a data collection module to the device. This combination provides persistent remote access and enables systematic theft of sensitive information, including communications and potentially corporate data. Researchers note that a newer version of the exploit kit has leaked on GitHub, raising concern that less‑skilled threat groups may now reuse or adapt the tooling.
State-Linked Threat Actors, GHOSTBLADE and Enterprise Exposure
Threat intelligence firms Proofpoint and Malfors report that DarkSword is already in use by the Russian‑aligned cyber‑espionage group COLDRIVER (also tracked as TA446). In its campaigns, DarkSword is used to deliver the GHOSTBLADE malware, a toolset designed for data theft from government agencies, think tanks, universities, financial institutions and law firms.
Experts cited by iVerify estimate that around 20% of iOS users continue to run older OS versions without critical patches. In corporate environments where personal devices are used to access email, collaboration platforms and cloud resources, these unpatched phones and tablets can become a weak link and an attractive entry point for advanced persistent threats.
Why Apple’s Patch Strategy for DarkSword Is Unusual
Apple routinely backports security fixes for older devices when vulnerabilities are severe. What stands out in the DarkSword case is that users on iOS 18 are being allowed to close high‑impact vulnerabilities without upgrading to the newest major OS line. Users without auto‑updates enabled can explicitly choose between installing iOS 18.7.7 (the latest patched 18.x release) or moving directly to iOS 26.
A month earlier, Apple had already urged owners of older hardware to install iOS 15.8.7, iPadOS 15.8.7, iOS 16.7.15 and iPadOS 16.7.15. These releases addressed not only DarkSword‑related issues, but also flaws exploited by another kit known as Coruna. In parallel, Apple began pushing Lock Screen notifications to devices running outdated iOS and iPadOS versions, warning of active web exploitation and prompting users to update.
Security Recommendations for Users and Organizations
For Individual iPhone and iPad Users
For anyone whose device has not yet moved to iOS 26, the priority is to immediately install iOS 18.7.7 or iPadOS 18.7.7 as soon as it becomes available. Additional defensive steps include:
- Enable Automatic Updates to receive future patches as soon as Apple releases them.
- Use only official app stores and avoid sideloading or untrusted configuration profiles.
- Reboot devices regularly to disrupt potential in‑memory attacker sessions.
- Be cautious when visiting unfamiliar websites, particularly from links in unsolicited messages.
For Businesses and Security Teams
Organizations should treat mobile endpoints with the same rigor as laptops and servers. Concrete measures include:
- Deploying Mobile Device Management (MDM) to enforce OS update baselines and centrally monitor patch status.
- Restricting access to corporate resources from devices that are not running a minimum required iOS/iPadOS version.
- Monitoring network traffic and DNS logs for indicators of watering hole activity and suspicious domains.
- Including mobile security in security awareness training, emphasizing that a compromised phone can expose corporate accounts and data.
The DarkSword campaigns highlight that even a tightly controlled ecosystem such as Apple’s is not immune to sophisticated exploit kits and the commercial 0‑day market. Treating iOS and iPadOS updates as mission‑critical security patches, rather than optional feature upgrades, is essential. Rapid installation of available fixes, combined with disciplined mobile security practices, substantially reduces the likelihood that personal or corporate devices will become part of the statistics for successful cyberattacks.
