APPLE has widened the rollout of iOS 18.7.7 and iPadOS 18.7.7 to bring security fixes to a larger pool of devices still running the older operating system, in response to the DarkSword exploit kit according to Infosecurity Magazine. The update became available on 1 April 2026 for users with automatic updates enabled, following an initial release on 24 March 2026 that was limited to a handful of models.
The DarkSword kit operates as a watering hole attack, injecting malicious code into compromised websites that target devices running iOS versions 18.4 through 18.7. When a user visits an infected page in Safari, the exploit can silently deploy malware without any interaction beyond loading the site. No CVE identifier has been assigned to the flaw as Apple treats it as a backported patch rather than a traditional vulnerability.
Eligible hardware now includes iPhone XR through iPhone 16 series, iPhone SE second and third generation, iPad mini fifth generation, iPad seventh generation, and various iPad Air and iPad Pro models. Apple says the patch is delivered as a backported update, allowing devices that remain on iOS 18 to receive the fix without being forced to upgrade to iOS 26. The expansion means millions of additional iPhones and iPads can now apply the protection.
Threat researchers have observed DarkSword activity in campaigns aimed at users in Saudi Arabia, Turkey, Malaysia and the United Kingdom, though no specific threat actor has been publicly linked to the exploit kit. The attacks typically involve luring victims to compromised news or forums sites that match their interests. Because the malware can persist after installation, defenders are urged to treat any unexpected behaviour as a potential compromise.
Organisations should ensure that automatic updates are enabled on all Apple devices and verify that the installed version reads 18.7.7 or later for iOS and iPadOS. Users who have turned off automatic updates can manually check for the update in Settings > General > Software Update. Additionally, enabling Safari’s fraudulent website warning and using a reputable content blocker can reduce the chance of encountering a malicious site used in the watering hole tactic.
Security teams are advised to review web proxy logs for requests to unknown domains and to monitor endpoint telemetry for signs of unusual processes following a browser session. Applying the patch promptly remains the most effective mitigation while the full scope of DarkSword’s reach continues to be assessed.