Back to News
News

Apple Expands iOS 18.7.7 Patch to Protect iPhones From DarkSword Exploit

CyberSecurityWaala 1 week ago Apr 2, 2026
Apple Expands iOS 18.7.7 Patch to Protect iPhones From DarkSword Exploit

Apple has widened access to a security update to protect older iPhones and iPads from an actively used exploit kit named DarkSword. Apple said in the iOS 18.7.7 changelog that it enabled broader availability on April 1, 2026. The company added that users with Automatic Updates enabled will get protections automatically.

What Apple released

The update is iOS 18.7.7 and iPadOS 18.7.7. Apple said the fixes tied to DarkSword first shipped in 2025. The company told WIRED that expanding the update will help more devices stay protected without forcing an upgrade to the newest operating system.

Apple listed eligible devices as follows. The company said these devices can now receive iOS 18.7.7 if they remain on iOS 18.

  • iPhone XR, iPhone XS, and iPhone XS Max
  • iPhone 11 series and iPhone SE second generation
  • iPhone 12 and iPhone 13 series
  • iPhone SE third generation, iPhone 14/15/16 series and iPhone 16e
  • iPad mini fifth generation, iPad seventh generation, and iPad Air third through fifth generation
  • iPad Air 11-inch and 13-inch models with M2 and M3
  • iPad Pro 11-inch first generation through M4, iPad Pro 12.9-inch third through sixth generation, and iPad Pro 13-inch M4

Why this matters

Researchers at Google Threat Intelligence Group, Lookout, and iVerify revealed DarkSword in public advisories. They found the kit targeted iOS and iPadOS devices running versions between iOS 18.4 and 18.7. The attackers used watering hole techniques. In these attacks, a legitimate website was compromised to deliver the exploit when a visitor arrived.

Once triggered, the exploit chain deployed persistent backdoors and a dataminer. Google Threat Intelligence Group reported that three malware families were observed on victims. Those include GhostBlade, GhostKnife, and GhostSaber, which steal data and can execute code on infected devices, GTIG said.

Proofpoint and Malfors reported that another actor known as COLDRIVER, tracked as TA446, used DarkSword to deliver the GHOSTBLADE data stealer. Proofpoint and Malfors said victims included government, think tank, higher education, financial, and legal targets.

Technical details

Lookout and GTIG credited six tracked vulnerabilities in the chain. The CVE identifiers are CVE-2025-31277, CVE-2025-43529, CVE-2026-20700, CVE-2025-14174, CVE-2025-43510, and CVE-2025-43520. Those CVEs were cited in vendor advisories and in security notes tied to iOS 18.7.7.

Researchers warned that DarkSword was used by multiple groups. GTIG, Lookout, and iVerify documented use by both commercial surveillance firms and suspected espionage groups. The broader use set DarkSword apart from the highly targeted iOS exploits that are often seen in private spyware campaigns, security teams said.

Community reaction and risks

Rocky Cole, co-founder and COO at iVerify, spoke to The Hacker News about the threat. “DarkSword silently steals vast amounts of user data purely because the user visited a real but compromised website,” Cole said. He added that roughly 20 percent of users were still on older iOS versions at the time of his statement, according to iVerify.

Security teams also warned that a leaked copy of the kit makes the situation worse. Researchers who tracked DarkSword reported that a version later showed up on a code-sharing site, increasing the risk that more actors will reuse the code.

What users should do

Apple told WIRED that users without Automatic Updates will be offered either the patched iOS 18.7.7 or the option to upgrade to iOS 26. Security researchers at Lookout and GTIG urged immediate updates for anyone on iOS 18.4 through 18.7.

Keep Automatic Updates on when possible. Install iOS 18.7.7 or move to iOS 26. Check device settings and update from Settings if the automatic path is disabled. Security vendors recommend caution when visiting unfamiliar or less trusted websites until patches are installed.

Apple’s move to backport protections to older iOS versions is rare. The company said it made the change to better protect users from a clear and present web threat.

For more information on how to protect yourself from cyber attacks, see our guide on how to protect yourself from cyber attacks in 10 easy steps. Understanding common threats is a key part of staying safe online.

#Apple #iOS #DarkSword #Cybersecurity #ExploitKit