Apple Backports iOS 18.7.7 Patches to Broader Device Range to Counter DarkSword Exploit Kit
Apple has expanded iOS 18.7.7 and iPadOS 18.7.7 to additional devices, patching six vulnerabilities exploited by the DarkSword exploit kit in watering-hole attacks that deploy data-stealing malware.
Apple has expanded the availability of iOS 18.7.7 and iPadOS 18.7.7 to a wider range of devices, delivering critical security patches to users who remain on older operating systems. The update, released on April 1, 2026, addresses six vulnerabilities that have been actively exploited by the DarkSword exploit kit since July 2025. By backporting fixes originally issued in 2025, Apple aims to protect users who cannot or choose not to upgrade to the latest iOS 26.
The DarkSword exploit kit targets devices running iOS versions between 18.4 and 18.7. It operates through watering-hole attacks, where attackers compromise legitimate websites to deliver malware when a user visits the site. Once a device is compromised, the kit can deploy multiple data-stealing tools, including GhostBlade, GhostKnife, and GhostSaber malware. These tools are designed to silently exfiltrate sensitive information such as credentials, personal data, and device identifiers.
Security researchers have linked DarkSword to multiple threat actors, including surveillance vendors and suspected espionage groups. The exploit kit has been used in targeted attacks against users in several countries. "DarkSword silently steals vast amounts of user data purely because the user visited a real (but compromised) website," said Rocky Cole, co-founder and COO at iVerify. "Apple has at least agreed with the security community's assessment that this presents a clear and present threat to devices that remain unpatched on earlier versions of iOS."
The expanded update covers a wide range of iPhones and iPads that remain on iOS 18, including iPhone XR through iPhone 16 models, iPhone SE (2nd and 3rd generation), and multiple iPad mini, iPad Air, and iPad Pro models. Users with automatic updates enabled will receive the patch automatically, while others can manually update to the patched iOS 18 version or upgrade to iOS 26. Apple has also begun sending lock screen notifications to users running older software, urging them to install the latest security updates.
Adding to the urgency, researchers have warned that the exploit kit's source code was leaked on GitHub, raising concerns that a wider range of attackers could begin using it. The leak significantly increases the risk of mass exploitation, as even less sophisticated threat actors can now deploy the kit. The attacks can install backdoors and steal sensitive information once a device is compromised, making patching critical for all affected users.
Apple's decision to backport security fixes to an older operating system is an unusual step. The company typically stops delivering updates to older OS versions once new releases are available. However, this update allows users who remain on iOS 18 to continue receiving critical security patches, rather than forcing a full operating system upgrade. "The combination of its reliability and accessibility is likely why Apple decided to backport the patch," said Vincenzo Iozzo, CEO and co-founder at SlashID. "Still, this leaves a significant portion of the customer base vulnerable."
The move underscores the growing threat posed by sophisticated exploit kits that target mobile devices. As surveillance vendors and espionage groups continue to develop and deploy such tools, the need for timely and accessible security updates becomes increasingly critical. Apple's proactive approach to backporting patches may set a precedent for how the company handles future vulnerabilities affecting users on older operating systems.