DarkSword: Apple extends iOS patch to more iPhones and iPads to stop targeted attacks

Apple has silently expanded the protection against real danger for iPhone and iPad users: the company extended the availability of iOS 18.7.7 and iPadOS 18.7.7 to a wider range of devices to mitigate a set of exploits known as DarkSword. The novelty is that now, in addition to some more recent models, the patch reaches teams that have the ability to update to modern versions of the system but still remain in previous branches of iOS, which allows to protect them without forcing an immediate jump to the last operating system.

The measure, communicated by Apple and collected by specialized media, is part of a response to findings from intelligence groups and security companies that detected the active use of DarkSword in campaigns directed since mid-2025. Initially, the firm launched the correction on 24 March 2026 for a limited number of devices; on 1 April 2026 it expanded this deployment so that users with the activated automatic updates receive these protections automatically. For those who do not use the automatic update, Apple offers the option of installing the parking version of iOS 18 or migrating to iOS 26.

The models included in this extension range from iPhone XR and XS to the iPhone 16 family, passing through several generations of iPhone 11, 12, 13, 14 and 15, and iPhone SE of 2nd and 3rd generation. On iPad, they enter from the 5th generation mini iPad to models with M2-M4 chips and some multi-generation iPad Air and iPad Pro. That Apple distributes patches to branches of previous iOS is not usual: the company usually pushes users into the most recent version, but when the gravity of a vulnerability requires it, it makes backports to minimize the impact of attacks on the ecosystem.

What is DarkSword doing and why is he worried? This is an operating kit that takes advantage of browser failures and system components to launch targeted web attacks: those known as watering-hole, in which malicious actors commit legitimate sites for a visitor with a vulnerable device to run malicious code without opening any suspicious file or link when visiting them. In documented incidents, intrusions have led to the installation of back doors and a dataminer, tools aimed at maintaining persistent access and drawing valuable information from the committed apparatus.

The security community detected the use of DarkSword in attacks in countries such as Saudi Arabia, Turkey, Malaysia and Ukraine; in addition, the kit has been seen to affect iOS versions between 18.4 and 18.7. The discovery was accompanied by technical reports and public alerts from research groups and cybersecurity companies, and farms by actors linked to espionage and information theft campaigns have been documented. The fact that versions of the kit have appeared on public code-sharing platforms has raised concerns about possible proliferation to facilitate its use by other less sophisticated attackers.

In addition to the risk of the explosion itself, the research showed that at least one group identified by security firms - known in reports such as COLDRIVER or TA446 - has used DarkSword to deploy the GHOSTBLADE malware, a data thief targeted at government entities, universities, thought centers, financial and legal sectors. Given the gravity of these campaigns, Apple has also used notifications on the lock screen to alert users with old versions of the system to the need to update, an unusual measure but in line with the urgency of the problem.

What can a user do right now? The first recommendation is simple and powerful: update. Activate the automatic updates or install the parking version available for your device; if you are concerned about keeping an anterior branch for incompatibilities with critical applications, at least value moving to the specific version that contains the patch before migrating to the last system. Minimize exposure to potentially compromised websites, avoid opening dubious links and keep secure data copies are helpful practices, although the ultimate defense against browser exploits usually comes from patches that correct the underlying vulnerabilities.

The DarkSword case also puts more extensive discussions on the explosion market and the ease with which advanced tools can end up in the hands of multiple actors. If sophisticated kits are leaked or shared, the technical barrier for attackers with minor resources is reduced and the risk of mass campaigns is increased. For companies and IT administrators, the lesson is clear: monitoring safety updates, applying patches quickly and having detection controls that identify abnormal behavior on mobile devices is more important than ever.

For those who want to deepen the research and communication that surrounded this episode, there are analysis and information pieces in the media and in the specialized blogs of the cyber security companies that have worked the case. Apple keeps information on security updates on its support site ( support.apple.com), and coverage and analysis can be found in specialized publications and in the blogs of research groups and companies such as Google Threat Analysis Group ( blog.google / amenat-analys-group), The Hacker News, Proofpoint and Lookout where reports and technologies related to these intrusions have been published.

Apple's extension of the patch does not eliminate the root problem: as long as there are unknown vulnerabilities (0-days) and an active market for exploits, the risks will persist. However, the rapid response and delivery of patches to devices that, under normal conditions, would no longer receive full support shows that, in the face of real threats, manufacturers can and should prioritize practical safety over planned obsolescence. The best individual defense remains to keep the software up to date and to implement official security recommendations.