Full Report
Apple on Wednesday expanded the availability of iOS 18.7.7 and iPadOS 18.7.7 to a broader range of devices to protect users from the risk posed by a recently disclosed exploit kit known as DarkSword. "We enabled the availability of iOS 18.7.7 for more devices on April 1, 2026, so users with Automatic Updates turned on can automatically receive important security
Analysis Summary
# Vulnerability: "DarkSword" Exploit Kit Targeting iOS and iPadOS
## CVE Details
*Note: The provided text refers to a chain of 6 flaws used by the DarkSword exploit kit. While specific CVE IDs for each of the 6 flaws are not listed in this specific article, they are associated with patches first shipped in 2025.*
- **CVE ID:** Not explicitly listed (Refers to a chain of 6 vulnerabilities)
- **CVSS Score:** N/A (Likely Critical given the exploit capabilities)
- **CWE:** N/A (Web-based exploit chain/Watering hole attack)
## Affected Systems
- **Products:** iPhone and iPad
- **Versions:** iOS 18.4 through iOS 18.7
- **Configurations:** Devices running these versions that visit compromised websites.
- **Specific Models:** Extensive list including iPhone XR through iPhone 16 models, and various iPad models (mini 5th gen+, Air 3rd gen+, Pro 1st gen+, and standard iPad 7th gen+).
## Vulnerability Description
The "DarkSword" exploit kit utilizes a chain of six distinct vulnerabilities to compromise Apple devices. The attack is delivered via a **watering hole attack**, where legitimate but compromised websites host malicious code. When a vulnerable device visits the site, the kit triggers, allowing for the deployment of persistent backdoors and "dataminer" malware designed for information theft and long-term access.
## Exploitation
- **Status:** Exploited in the wild (Actively used against targets in Saudi Arabia, Turkey, Malaysia, and Ukraine since July 2025). PoC/Source code has been leaked on GitHub.
- **Complexity:** Low (Zero-click/one-click via watering hole; user only needs to visit a compromised site).
- **Attack Vector:** Network (Web-based).
## Impact
- **Confidentiality:** High (Deployment of dataminers for persistent information theft).
- **Integrity:** High (Deployment of backdoors and unauthorized code execution).
- **Availability:** High (Potential for full device takeover).
## Remediation
### Patches
Apple has expanded the availability of backported security updates. Users should update to:
- **iOS 18.7.7** or **iPadOS 18.7.7** (For users remaining on the iOS 18 branch).
- **iOS 26** (The latest major OS version).
- Older devices may require **iOS 15.8.7** or **iOS 16.7.15** to address related flaws.
### Workarounds
- No specific technical workarounds are provided; users are strongly urged to enable **Automatic Updates**.
- Apple has issued Lock Screen notifications to alert users of the risk of web-based attacks.
## Detection
- **Indicators of Compromise:** Presence of "GHOSTBLADE" data stealer malware or unauthorized backdoors.
- **Detection methods and tools:** Analysis by Google Threat Intelligence Group (GTIG), iVerify, and Lookout identifies these attacks. Organizations should monitor for traffic to known compromised websites used in watering hole campaigns.
## References
- Apple Security Advisory: [https://support.apple.com/en-us/126793](https://support.apple.com/en-us/126793)
- Source Report: [https://thehackernews.com/2026/04/apple-expands-ios-1877-update-to-more.html](https://thehackernews.com/2026/04/apple-expands-ios-1877-update-to-more.html)
- Related Threat Research: [https://thehackernews.com/2026/03/darksword-ios-exploit-kit-uses-6-flaws.html](https://thehackernews.com/2026/03/darksword-ios-exploit-kit-uses-6-flaws.html)