Apple on Wednesday expanded the availability of iOS 18.7.7 and iPadOS 18.7.7 to a broader range of devices to protect users from the risk posed by a recently disclosed exploit kit known as DarkSword.
“We enabled the availability of iOS 18.7.7 for more devices on April 1, 2026, so users with Automatic Updates turned on can automatically receive important security protections from web attacks called DarkSword,” the company said. “The fixes associated with the DarkSword exploit first shipped in 2025.”
The update is available for the following devices –
- iPhone XR, iPhone XS, iPhone XS Max, iPhone 11 (all models), iPhone SE (2nd generation), iPhone 12 (all models), iPhone 13 (all models), iPhone SE (3rd generation), iPhone 14 (all models), iPhone 15 (all models), iPhone 16 (all models), and iPhone 16e
- iPad mini (5th generation – A17 Pro), iPad (7th generation – A16), iPad Air (3rd – 5th generation), iPad Air 11-inch (M2 – M3), iPad Air 13-inch (M2 – M3), iPad Pro 11-inch (1st generation – M4), iPad Pro 12.9-inch (3rd – 6th generation), and iPad Pro 13-inch (M4)
The latest update aims to cover devices that have the capability to update to iOS 26 but are still on older versions. Apple first released iOS 18.7.7 and iPadOS 18.7.7 on March 24, 2026, but only for iPhone XS, iPhone XS Max, iPhone XR, and iPad 7th generation.
Last month, the company also urged users to update older devices to iOS 15.8.7, iPadOS 15.8.7, iOS 16.7.15, and iPadOS 16.7.15 to address some of the exploits that were used in DarkSword and another exploit kit called Coruna.
While Apple is known to backport fixes for older devices depending on the criticality of the vulnerabilities, the move to allow iOS 18 users to patch their devices without having to update to the latest operating system version marks an unusual departure for the tech giant.
In a statement shared with WIRED, an Apple spokesperson said it was expanding the update to more devices to help them stay protected. Users who do not have auto-update enabled will have the option to either update to the latest, patched version of iOS 18 or to iOS 26.
The rare step comes weeks after Google Threat Intelligence Group (GTIG), iVerify, and Lookout shared details of an iOS exploit kit called DarkSword that has been put to use in cyber attacks targeting users in Saudi Arabia, Turkey, Malaysia, and Ukraine since July 2025. The kit is capable of targeting iOS and iPadOS devices running versions between iOS 18.4 and 18.7.
The attack gets triggered when a user running a vulnerable device visits a legitimate-but-compromised website that hosts the malicious code as part of what’s called a watering hole attack. Once launched, the attacks have been found to deploy backdoors and a dataminer for persistent access and information theft.
It’s currently not known how the advanced hacking tool came to be shared by multiple threat actors. A newer version of the kit has since been leaked on the code-sharing site GitHub, fueling concerns that more threat actors could jump on the exploitation bandwagon.
The discovery also highlights that powerful spyware for iPhones may not be as rare as previously thought, and that they could become attractive tools for mass exploitation.
As of last week, Apple began issuing Lock Screen notifications to iPhones and iPads running older versions of iOS and iPadOS to alert users of web-based attacks and urge them to install the latest updates.
Proofpoint and Malfors also revealed that another Russia-linked threat actor known as COLDRIVER (aka TA446) has exploited the DarkSword kit to deliver the GHOSTBLADE data stealer malware in attacks targeting government, think tank, higher education, financial, and legal entities.
“DarkSword silently steals vast amounts of user data purely because the user Now visited a real (but compromised) website,” Rocky Cole, co-founder and COO at iVerify, said in a statement shared with The Hacker News. “Apple has at least agreed with the security community’s assessment that this presents a clear and present threat to devices that remain unpatched on earlier versions of iOS, which roughly 20% of people are still running.”
“Leaving those users exposed would be a hard decision to defend, particularly for a company that centers its brand around security and privacy. Backporting patches to older iOS versions seems like the least they can do in lieu of providing a security framework for outside developers. The fact is that patching is too little too late when 0-days are involved, and the exploit market is booming.”
