Apple on April 1 expanded the availability of updates for iOS 18.7.7 and iPadOS 18.7.7 to a broader range of devices so users with Automatic Updates turned on can receive protection from the recent wave of DarkSword exploit attacks.The Google Threat Intelligence Group described DarkSword as a six-vulnerability exploit chain targeting iPhones running iOS 18.4 through 18.7, and Lookout has documented observed attacks on iOS 18.4 through 18.6.2.The chain begins when a user visits a compromised legitimate website. According to iVerify, little to no user action is required beyond loading the page. Once successful, the attacker gains extensive visibility into the device. The researchers at iVerify list the following negative impacts: access to messages, stored passwords, crypto wallets, Wi-Fi credentials, location history, health data, and calendar databases.Lookout described this technique as "hit and run," with data collection, exfiltration, and cleanup designed to minimize forensic traces.Public reporting on DarkSword campaigns pointed to attacks in Saudi Arabia, Turkey, Malaysia, and Ukraine. The absence of confirmed U.S. victims is partly a device version story. Apple's own data measured in February 2026 reported that 74% of iPhones introduced in the last four years are running iOS 26, which is not vulnerable. Populations targeted in these campaigns are in regions where older iOS versions persist longer, making the exploit window wider.
Related reading:
However, Jacob Krell, senior director for secure AI solutions and cybersecurity at Suzu Labs, pointed out that the picture has shifted. Krell said Proofpoint attributed a March 26 campaign to Star Blizzard (also tracked as TA446 and COLDRIVER) with high confidence, targeting government, think tank, higher education, financial, and legal entities. A newer version of the kit has also been leaked on GitHub, according to reporting in The Hacker News, which drops the barrier to entry for any actor looking to adopt it.“When an exploit chain proliferates to multiple operators and becomes publicly available, geographic expansion is a matter of when, not if,” said Krell. “Security teams should push iOS 18.7.7 to every managed device still on iOS 18, or upgrade to iOS 26. For high risk users, Google Threat Intelligence Group recommends enabling Lockdown Mode where updates are not immediately possible, and independent researchers have confirmed DarkSword does not execute on devices with Lockdown Mode enabled.”Krell added that published CVEs and entries in CISA's Known Exploited Vulnerabilities (KEV) catalog for DarkSword. The exploit chains six CVEs: CVE-2025-31277, CVE-2025-43529, CVE-2026-20700, CVE-2025-14174, CVE-2025-43510, and CVE-2025-43520. The most recent batch was added to the KEV list on March 20 and CISA has been tracking active exploitation of these flaws since late 2025.While some researchers said Apple’s move to expand the updates to older device was quite rare, Ted Miracco, chief executive officer at Approov, said it fits with Apple’s pattern to keep supporting older devices while also aggressively steering users to the newest OS whenever possible.Miracco said even though there have not been attacks yet in the United States, security teams here should stay vigilant.“Regardless of where the attacks occur, about 20% of iOS devices remain exposed, representing a significant attack surface,” said Miracco. “The right security moves are: enable Lockdown Mode for high-risk users; and then treat DarkSword like any other actively-exploited mobile zero-day chain."Rocky Cole, co-founder and COO iVerify, said DarkSword silently steals vast amounts of user data purely because they visited a real, but compromised, website. Cole said Apple has at least agreed with the security community's assessment that this presents a clear and present threat to devices that remain unpatched on earlier versions of iOS, which roughly 20% of users are still running.“Leaving those users exposed would be a hard decision to defend, particularly for an organization that centers its brand around security and privacy,” said Cole. “However, we should not forget that at least three of these exploits were true zero-days when they were first seen. Even patching would not have helped these users. Apple's only security approach is to patch against these threats which can mean months have already passed before the patch is available.”Cole added that Apple finds itself in a unique position where in the past, the vast majority of users upgraded to the latest iOS within two weeks of release, but iOS 26 had a very public pushback against it as many users did not like the liquid glass UI upgrade and actively choose to stay on iOS 18.“That, combined with a whole country pushback against iOS 26.4 [from the UK] means that Apple cannot rely on users keeping their phones up- to-date with the latest build anymore,” said Cole.
Vulnerability Management, Patch/Configuration Management, Identity, Endpoint/Device Security, Malware

Apple expands updates to iOS 18 devices affected by DarkSword exploit

(Adobe Stock)

Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



