DarkSword is no longer exclusive: Apple extends patches from iOS 18.7.7 to more devices

Apple quietly expanded the distribution of a security update for iPhones that still work with iOS 18, with the aim of closing a gap that has been actively exploited for months. In the note of the change log of the iOS version 18.7.7 - published on April 1, 2026 - the company explains that it has "enabled the availability" of that version for more devices, so that those with the Automated Updates will receive the protections against web attacks related to the set of vulnerabilities known as DarkSword. The measure seeks to prevent users who decided not to migrate to more recent versions of the system from being exposed to explosives already identified and used in the field. For the official Apple patch indexation see the Apple security updates page: support.apple.com.

DarkSword jumped to public attention on the basis of joint investigations carried out in early 2026 by various security teams, which mapped a chain of exploitation consisting of six vulnerabilities. These defects are recorded as CVE-2025-31277, CVE-2025-43529, CVE-2026-20700, CVE-2025-14174, CVE-2025-43510 and CVE-2025-43520; each reference can be found in the MITRE VCE database, for example. CVE-2025-31277. The worrying thing was not just the technique, but the extent with which that tool was used.

IOS's exploits have traditionally been reserved for targeted operations - political espionage or targeted attacks - but DarkSword was deployed in much more extensive campaigns. Researchers identified its use by various actors: from a Turkish-based commercial surveillance provider to groups linked to national espionage campaigns. In these incidents, the attackers did not just deceive the victim to download a malicious app: once web vulnerability was exploited, malware families were deployed designed to steal information and run code remotely. These include identifying components with names such as GhostBlade, GhostKnife and GhostSaber, which act as infostealers and back doors with the capacity to extract data and maintain persistent access to compromised devices.

Apple began to close these gaps progressively since July 2025, incorporating corrections in iOS 18.6 and later versions of that branch. However, in late 2025 the company stopped offering iOS 18 updates to many more recent models that could already run iOS 26, which caused a paradoxical situation: those who chose to stay in iOS 18 saw how the availability of patches was reduced to a limited group of compatible devices. In practice that left many phones in a "false security" position: they could continue to operate with iOS 18, but not all received the most recent corrections released in 2026.

The situation worsened when, in March 2026, the DarkSword kit itself was published in a public repository, which facilitated its access to less sophisticated actors and increased the risk to users with vulnerable devices. This was covered by specialized means, for example, TechCrunch reported on the kit leak, stressing the danger that advanced tools will be available to any attacker.

Apple's response with iOS 18.7.7, in addition to correcting the failures, expands the list of devices that can still receive patches without leaving the iOS 18 branch. In practice this means that models that until recently did not have access to patches launched in 2026 will now be able to receive this version if they keep the Automatic Updates on. It is a half-way solution: it protects those who want to stay in iOS 18, but does not replace the usual recommendation to update to the most recent version of the operating system when the device allows.

If we look at the operational context, the existence of an exploit kit exploited at scale changes the nature of the risk: it is no longer a tool reserved for a select group of attackers, but a potentially reusable methodology by multiple groups to deploy credentials theft, data exfiltration or deeper affections to the operation of the device. Therefore, in addition to the patch, good practices remain relevant: keep the automatic updates active, check the source of links and websites visited from the mobile and review suspicious application permissions.

From an institutional point of view, there are also clear lessons. Authorities and organizations handling sensitive information often receive guidelines from security agencies to apply patches urgently; when a threat reaches public scale - and especially when the explosion is leaked - the mitigation schedule must be accelerated. Those interested in technical monitoring and government alerts can consult intelligence and public security resources, as well as the official vulnerability databases and communications of manufacturers and research equipment; in addition to media coverage, references such as Apple's list of updates and CVE entries provide a verifiable view of the applied patches: Apple Security Updates and the collection of CVE in MITRE (e.g., CVE-2025-43529) are reliable starting points.

In short, iOS 18.7.7 is good news for those who do not want - or cannot - to migrate to the most recent versions: recovery of some of the protection against an explosion that has proved to be practical and reusable. But it does not remove the background problem: in an ecosystem so dependent on patches and updates, the fragmentation of support and the publication of public attack tools amplify the risk. The most prudent recommendation remains to keep the system up-to-date to the most modern version that the device supports and activate the automatic updates; for those for some reason still in iOS 18, make sure to apply iOS 18.7.7 as soon as it arrives and review the additional security options offered by Apple or mobile security providers.

The above mentioned piece of TechCrunch ( TechCrunch, March 2026) as well as the related CVE chips in the MITRE database to understand each vulnerability in detail: cve.mitre.org. For more in-depth threat monitoring and technical analysis, blogs and communications from security teams such as Google or specialized firms often publish post-mortem analysis and operational recommendations on their official channels - a search on their official pages makes it easier to find reports linked to DarkSword and its implications.