Apple Expands iOS 18.7.7 to More Devices to Mitigate DarkSword Exploit Risk

-


 Overview

Apple has expanded the availability of iOS 18.7.7 and iPadOS 18.7.7 to a wider range of supported devices in order to protect users against web-based attacks linked to the DarkSword exploit kit. According to the report, Apple enabled the broader rollout on April 1, 2026, so that users with Automatic Updates enabled can receive the protections more easily.

What the update addresses
The report states that DarkSword is an iOS exploit kit that has been used in real-world attacks since July 2025. It reportedly targets iPhones and iPads running versions between iOS 18.4 and 18.7. The attack is triggered when a victim visits a legitimate but compromised website, making it a watering hole attack scenario. Once activated, the exploit chain can reportedly install backdoors and steal data from the device.

Expansion of device coverage
Apple had initially released iOS 18.7.7 and iPadOS 18.7.7 on March 24, 2026, but only for a limited group of older devices, including the iPhone XS, iPhone XS Max, iPhone XR, and the 7th-generation iPad. The new rollout extends coverage to a much broader list of iPhones and iPads, including iPhone 11 through iPhone 16 models, both SE generations still supported, and multiple iPad, iPad Air, iPad mini, and iPad Pro generations.

Why this is notable
The article describes Apple’s move as unusual because, instead of forcing users to jump immediately to the latest major operating system version, Apple is allowing more users on iOS 18 to receive the relevant security fixes without upgrading to iOS 26. Users without Automatic Updates enabled can reportedly choose either the patched iOS 18 release or move directly to iOS 26.

Threat context
The article says DarkSword has been observed in attacks targeting users in Saudi Arabia, Turkey, Malaysia, and Ukraine. It also notes that a newer version of the exploit kit was reportedly leaked on GitHub, increasing concern that more threat actors could adopt it. In addition, Proofpoint and Malfors reportedly linked the Russia-associated threat actor COLDRIVER to the use of DarkSword for delivering GHOSTBLADE data-stealing malware against government, think tank, education, financial, and legal targets.

Additional Apple response measures
The report notes that Apple recently began sending lock screen notifications to iPhones and iPads running older software versions, warning users about web-based attacks and encouraging them to install available updates. It also mentions that Apple had previously pushed iOS 15.8.7, iPadOS 15.8.7, iOS 16.7.15, and iPadOS 16.7.15 to protect older devices from DarkSword- and Coruna-related exploitation.

Risk assessment
This development suggests that Apple considers DarkSword a significant enough threat to justify wider backporting of security protections. The article also highlights a broader concern in the mobile security space: advanced iPhone spyware and exploit kits may be more available and more scalable than previously assumed.

Conclusion
Apple’s expanded rollout of iOS 18.7.7 and iPadOS 18.7.7 appears to be a targeted defensive response to an actively discussed exploit kit affecting Apple devices through compromised websites. The update is important because it broadens protection for users who have not yet moved to the latest major iOS release, reducing exposure to web-driven compromise and data theft.

Comments

Post a Comment

Popular posts from this blog

The Hidden Lag Killing Your SIEM Efficiency

-
Image
  If your security tools feel slower than they should, you’re not imagining it. Many IT teams blame their sluggish SIEM performance on query complexity or alert volume. But sometimes the real issue is much simpler: oversized input files quietly dragging your system down. Think about the last time you had to sift through a bloated PDF or an unoptimised log dump. Every unnecessary megabyte adds strain. Every redundant line eats up cycles. Your SIEM doesn’t just react to threats—it processes all incoming data, relevant or not. When it starts lagging, detection gets delayed, triage slows, and in the high-stakes world of threat response, even seconds count. We often focus on analytics and rule tuning, but upstream efficiency—what you feed into your system—deserves just as much attention. This article looks at how optimising your inputs unlocks downstream performance. Why Oversized Files Clog the Pipeline As data volumes grow, organisations face esca lating  data storage costs ,...
Read more

Critical Vulnerability in Veeam Backup & Replication Exposes Enterprises to Remote Code Execution

-
Image
Critical Vulnerability in Veeam Backup & Replication Exposes Enterprises to Remote Code Execution By : Rei Ibraima A newly discovered critical vulnerability in Veeam’s Backup & Replication software, designated as CVE-2025-23120, poses a significant security risk to enterprise environments. The flaw allows authenticated domain users to execute arbitrary code remotely, potentially leading to full compromise of backup infrastructures. About CVE-2025-23120 The vulnerability arises from an insecure deserialization issue within Veeam Backup & Replication components—particularly in the .NET classes Veeam.Backup.EsxManager.xmlFrameworkDs and Veeam.Backup.Core.BackupSummary. Improper input validation in these components allows attackers to inject malicious serialized objects that are executed on the server side, resulting in Remote Code Execution (RCE). This issue affects systems where Veeam Backup & Replication is deployed in a domain-joined configuration, which—while common—is...
Read more

Lotus Panda Hacks SE Asian Governments With Browser Stealers and Sideloaded Malware

-
Image
The China-linked cyber espionage group tracked as Lotus Panda has been attributed to a campaign that compromised multiple organizations in an unnamed Southeast Asian country between August 2024 and February 2025. "Targets included a government ministry, an air traffic control organization, a telecoms operator, and a construction company," the Symantec Threat Hunter Team said in a new report shared with The Hacker News. "The attacks involved the use of multiple new custom tools, including loaders, credential stealers, and a reverse SSH tool." The intrusion set is also said to have targeted a news agency located in another country in Southeast Asia and an air freight organization located in another neighboring country. The threat cluster, per Broadcom's cybersecurity division, is assessed to be a continuation of a campaign that was disclosed by the company in December 2024 as a high-profile organization in Southeast Asia since at least October 2023. ...
Read more