Cupertino, CA – Apple on Wednesday, April 2, 2026, significantly expanded the availability of its iOS 18.7.7 and iPadOS 18.7.7 updates, pushing crucial security protections to a broader spectrum of devices. This unprecedented move aims to shield users from the immediate and severe threats posed by a sophisticated exploit kit known as DarkSword, which has been actively leveraged in cyberattacks since mid-2025. The decision marks a notable departure from Apple’s traditional update strategy, underscoring the critical nature of the vulnerabilities exploited by DarkSword.
The technology giant confirmed its proactive stance, stating, "We enabled the availability of iOS 18.7.7 for more devices on April 1, 2026, so users with Automatic Updates turned on can automatically receive important security protections from web attacks called DarkSword." The company further noted that while initial fixes associated with the DarkSword exploit had been incorporated into various updates since 2025, the latest rollout specifically targets devices still operating on the iOS 18 framework, bridging a crucial security gap without mandating an upgrade to the absolute latest operating system, iOS 26.
The Genesis of a Critical Threat: Unpacking DarkSword
The DarkSword exploit kit emerged as a formidable threat in the mobile security landscape, first identified in active campaigns targeting users in Saudi Arabia, Turkey, Malaysia, and Ukraine as early as July 2025. A collaborative effort by leading cybersecurity research teams, including Google Threat Intelligence Group (GTIG), iVerify, and Lookout, brought the intricacies of this advanced hacking tool to light. Their findings revealed that DarkSword is capable of exploiting a staggering six distinct vulnerabilities within iOS and iPadOS, specifically targeting devices running versions between iOS 18.4 and 18.7.
The modus operandi of DarkSword-driven attacks typically involves "watering hole" tactics. In such a scenario, users with vulnerable devices are lured into visiting legitimate but compromised websites. These sites are covertly injected with malicious code that, upon access, triggers the exploit kit. Once successfully launched, DarkSword is designed to deploy persistent backdoors and a sophisticated dataminer, granting threat actors sustained access to compromised devices and enabling extensive information theft. This stealthy and persistent nature makes it a particularly dangerous tool, capable of siphoning sensitive user data without immediate detection.
A Shifting Landscape: Apple’s Strategic Pivot
Apple’s decision to backport security fixes to iOS 18.7.7 for a wider array of devices is a significant strategic maneuver. Historically, Apple has prioritized encouraging users to update to the absolute latest version of its operating system (currently iOS 26) to ensure the highest level of security and access to new features. While the company has previously issued security updates for much older, largely unsupported operating systems (such as iOS 15.x.x or iOS 16.x.x) to address critical zero-day vulnerabilities, extending a backported patch to a relatively recent major version like iOS 18 – especially when iOS 26 is readily available – represents an unusual departure.
An Apple spokesperson, in a statement shared with WIRED, elaborated on this decision, indicating that the expansion of the update was aimed at ensuring broader protection for its user base. Users who have not enabled automatic updates now have two distinct options: they can either update to the newly patched version of iOS 18 (18.7.7) or opt for a full upgrade to iOS 26. This dual-path approach acknowledges that not all users are immediately willing or able to transition to the newest operating system, yet still require protection from actively exploited threats.
This strategic adjustment likely stems from the severe nature of the DarkSword threat and the estimated user base still operating on iOS 18. Rocky Cole, co-founder and COO at iVerify, highlighted this demographic, stating, "Apple has at least agreed with the security community’s assessment that this presents a clear and present threat to devices that remain unpatched on earlier versions of iOS, which roughly 20% of people are still running." He further emphasized the difficulty Apple would face in defending a decision to leave such a significant portion of its user base exposed, particularly given its brand emphasis on security and privacy.
A Chronology of Exploits and Responses
The timeline leading to this expanded rollout reveals a rapidly evolving threat landscape and Apple’s concerted efforts to mitigate risks:
- July 2025: DarkSword exploit kit is observed in active cyberattacks targeting specific geopolitical regions and user groups.
- Late 2025: Apple incorporates initial fixes associated with some DarkSword vulnerabilities into various updates, though a comprehensive patch for the active kit targeting iOS 18.x.x users remains elusive for a broader audience.
- March 2026 (Early): Apple issues urgent advisories, urging users of older, largely unsupported devices to update to iOS 15.8.7, iPadOS 15.8.7, iOS 16.7.15, and iPadOS 16.7.15. These updates were designed to address vulnerabilities exploited not only by DarkSword but also by another prominent exploit kit, Coruna, which reportedly leveraged an astonishing 23 exploits.
- March 24, 2026: Apple initially releases iOS 18.7.7 and iPadOS 18.7.7, but this first wave of updates is limited to a select group of devices, specifically the iPhone XS, iPhone XS Max, iPhone XR, and the iPad 7th generation.
- Late March 2026: Recognizing the pervasive nature of the threat and the potential for widespread exploitation, Apple begins issuing Lock Screen notifications to iPhones and iPads running older versions of iOS and iPadOS. These alerts serve as direct warnings to users about active web-based attacks and strongly recommend installing the latest security updates.
- April 1, 2026: Apple expands the availability of iOS 18.7.7 and iPadOS 18.7.7 to a much broader range of devices capable of running iOS 18, allowing automatic updates to deliver the critical patches.
- April 2, 2026: Apple officially announces the expanded rollout, detailing its rationale and the threat it seeks to counter.
The Exploit Market and Escalating Threats
The emergence of DarkSword and Coruna underscores a troubling trend in the cybersecurity world: the increasing sophistication and accessibility of advanced mobile spyware. The original article notes that it remains unclear how the DarkSword hacking tool became accessible to multiple threat actors. However, a newer version of the kit has since been leaked on the code-sharing platform GitHub, raising significant concerns about its potential proliferation. This "democratization" of powerful offensive tools could empower a wider array of malicious actors, leading to an exponential increase in targeted and mass exploitation attempts.
Indeed, evidence of this proliferation has already surfaced. Cybersecurity firms Proofpoint and Malfors recently revealed that COLDRIVER (also known as TA446), a Russia-linked threat actor group, has actively exploited the leaked DarkSword kit. Their campaigns have focused on delivering the GHOSTBLADE data stealer malware in highly targeted attacks against government agencies, think tanks, higher education institutions, financial organizations, and legal entities. This highlights not only the danger of such kits but also the immediate and tangible impact on critical infrastructure and sensitive data.
Rocky Cole’s observation that "the exploit market is booming" paints a stark picture of the current environment. He argues that while backporting patches is a necessary step, it often comes "too little too late when zero-days are involved." This sentiment reflects the constant cat-and-mouse game between security researchers, vendors, and threat actors, where new vulnerabilities are discovered and exploited with alarming frequency, often before comprehensive patches can be developed and widely deployed.
Implications for Users and the Future of Mobile Security
Apple’s exceptional move to backport fixes for iOS 18 users signals a recognition that the threat posed by DarkSword is not merely theoretical but an active and pervasive danger that demands an immediate, broad-based response, even if it deviates from established protocols. For users, this means that updating their devices is more critical than ever, regardless of whether they choose to upgrade to the very latest iOS 26 or remain on a patched version of iOS 18.
The incident serves as a potent reminder that sophisticated spyware for iPhones, once thought to be exceedingly rare and reserved for state-sponsored actors, may be becoming more prevalent and accessible. The potential for such tools to transition from highly targeted operations to broader mass exploitation campaigns is a significant concern for the entire mobile ecosystem.
In conclusion, the expanded rollout of iOS 18.7.7 and iPadOS 18.7.7 is a crucial, albeit unusual, step by Apple to fortify its user base against a severe and active threat. It underscores the escalating challenges in mobile security, driven by advanced exploit kits like DarkSword and a booming exploit market. For users, the message is clear: maintaining vigilance and promptly installing security updates, whether automatically or manually, remains the most effective defense against an increasingly sophisticated landscape of cyber threats.