Apple Expands iOS 18.7.7 Update to More Devices to Block DarkSword Exploit

Summary

Apple rolled out iOS 18.7.7 and iPadOS 18.7.7 to a wider range of devices on April 1, 2026, to protect users from the DarkSword exploit kit, which has been actively exploited since July 2025 in watering hole attacks targeting users in Saudi Arabia, Turkey, Malaysia, and Ukraine. The exploit kit targets iOS/iPadOS versions 18.4–18.7 and deploys backdoors and data miners for persistent access; a leaked version on GitHub has raised concerns of wider adoption. Apple also backported patches to older iOS versions (15.8.7, 16.7.15) and enabled Lock Screen notifications to warn users of web-based attacks.

Full text

Apple Expands iOS 18.7.7 Update to More Devices to Block DarkSword Exploit Ravie LakshmananApr 02, 2026Mobile Security / Vulnerability Apple on Wednesday expanded the availability of iOS 18.7.7 and iPadOS 18.7.7 to a broader range of devices to protect users from the risk posed by a recently disclosed exploit kit known as DarkSword. "We enabled the availability of iOS 18.7.7 for more devices on April 1, 2026, so users with Automatic Updates turned on can automatically receive important security protections from web attacks called DarkSword," the company said. "The fixes associated with the DarkSword exploit first shipped in 2025." The update is available for the following devices - iPhone XR, iPhone XS, iPhone XS Max, iPhone 11 (all models), iPhone SE (2nd generation), iPhone 12 (all models), iPhone 13 (all models), iPhone SE (3rd generation), iPhone 14 (all models), iPhone 15 (all models), iPhone 16 (all models), and iPhone 16e iPad mini (5th generation - A17 Pro), iPad (7th generation - A16), iPad Air (3rd - 5th generation), iPad Air 11-inch (M2 - M3), iPad Air 13-inch (M2 - M3), iPad Pro 11-inch (1st generation - M4), iPad Pro 12.9-inch (3rd - 6th generation), and iPad Pro 13-inch (M4) The latest update aims to cover devices that have the capability to update to iOS 26 but are still on older versions. Apple first released iOS 18.7.7 and iPadOS 18.7.7 on March 24, 2026, but only for iPhone XS, iPhone XS Max, iPhone XR, and iPad 7th generation. Last month, the company also urged users to update older devices to iOS 15.8.7, iPadOS 15.8.7, iOS 16.7.15, and iPadOS 16.7.15 to address some of the exploits that were used in DarkSword and another exploit kit called Coruna. While Apple is known to backport fixes for older devices depending on the criticality of the vulnerabilities, the move to allow iOS 18 users to patch their devices without having to update to the latest operating system version marks an unusual departure for the tech giant. In a statement shared with WIRED, an Apple spokesperson said it was expanding the update to more devices to help them stay protected. Users who do not have auto-update enabled will have the option to either update to the latest, patched version of iOS 18 or to iOS 26. The rare step comes weeks after Google Threat Intelligence Group (GTIG), iVerify, and Lookout shared details of an iOS exploit kit called DarkSword that has been put to use in cyber attacks targeting users in Saudi Arabia, Turkey, Malaysia, and Ukraine since July 2025. The kit is capable of targeting iOS and iPadOS devices running versions between iOS 18.4 and 18.7. The attack gets triggered when a user running a vulnerable device visits a legitimate-but-compromised website that hosts the malicious code as part of what's called a watering hole attack. Once launched, the attacks have been found to deploy backdoors and a dataminer for persistent access and information theft. It's currently not known how the advanced hacking tool came to be shared by multiple threat actors. A newer version of the kit has since been leaked on the code-sharing site GitHub, fueling concerns that more threat actors could jump on the exploitation bandwagon. The discovery also highlights that powerful spyware for iPhones may not be as rare as previously thought, and that they could become attractive tools for mass exploitation. As of last week, Apple began issuing Lock Screen notifications to iPhones and iPads running older versions of iOS and iPadOS to alert users of web-based attacks and urge them to install the latest updates. Proofpoint and Malfors also revealed that another Russia-linked threat actor known as COLDRIVER (aka TA446) has exploited the DarkSword kit to deliver the GHOSTBLADE data stealer malware in attacks targeting government, think tank, higher education, financial, and legal entities. "DarkSword silently steals vast amounts of user data purely because the user Now visited a real (but compromised) website," Rocky Cole, co-founder and COO at iVerify, said in a statement shared with The Hacker News. "Apple has at least agreed with the security community's assessment that this presents a clear and present threat to devices that remain unpatched on earlier versions of iOS, which roughly 20% of people are still running." "Leaving those users exposed would be a hard decision to defend, particularly for a company that centers its brand around security and privacy. Backporting patches to older iOS versions seems like the least they can do in lieu of providing a security framework for outside developers. The fact is that patching is too little too late when 0-days are involved, and the exploit market is booming." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  Apple, cybersecurity, Device Protection, exploit kit, iOS, iPadOS, mobile security, Vulnerability, web security Trending News Citrix NetScaler Under Active Recon for CVE-2026-3055 (CVSS 9.3) Memory Overread Bug CISA Adds CVE-2025-53521 to KEV After Active F5 BIG-IP APM Exploitation TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files China-Linked Red Menshen Uses Stealthy BPFDoor Implants to Spy via Telecom Networks ThreatsDay Bulletin: PQC Push, AI Vuln Hunting, Pirated Traps, Phishing Kits and 20 More Stories Coruna iOS Kit Reuses 2023 Triangulation Exploit Code in Recent Mass Attacks FCC Bans New Foreign-Made Routers Over Supply Chain and Cyber Risk Concerns Citrix Urges Patching Critical NetScaler Flaw Allowing Unauthenticated Data Leaks TeamPCP Backdoors LiteLLM Versions 1.82.7–1.82.8 via Trivy CI/CD Compromise FBI Warns Russian Hackers Target Signal, WhatsApp in Mass Phishing Attacks Trivy Security Scanner GitHub Actions Breached, 75 Tags Hijacked to Steal CI/CD Secrets Google Adds 24-Hour Wait for Unverified App Sideloading to Reduce Malware and Scams Apple Warns Older iPhones Vulnerable to Coruna, DarkSword Exploit Kit Attacks 54 EDR Killers Use BYOVD to Exploit 35 Signed Vulnerable Drivers and Disable Security New Perseus Android Banking Malware Monitors Notes Apps to Extract Sensitive Data ⚡ Weekly Recap: CI/CD Backdoor, FBI Buys Location Data, WhatsApp Ditches Numbers and More Popular Resources Detect AI-Driven Threats Faster With Full Network Visibility [Demo] Discover SaaS Risks and Monitor Every App in Your Environment [Guide] Learn How to Govern AI Agents With Proven Market Guidance SANS SEC401: Get Hands On Skills to Detect and Respond to Cyber Threats

Indicators of Compromise

• malware — DarkSword
• malware — Coruna
• malware — GHOSTBLADE

Entities