Apple has significantly broadened the availability of critical security updates for iPhones still operating on iOS 18. The move is a direct response to the widespread and active exploitation of the "DarkSword" exploit kit, a sophisticated threat that has targeted a broad range of iPhone models. In a security update changelog for iOS 18.7.7, Apple stated, "We enabled the availability of iOS 18.7.7 for more devices on April 1, 2026, so users with Automatic Updates turned on can automatically receive important security protections from web attacks called DarkSword." The company noted that the core fixes for these vulnerabilities were first developed and shipped in 2025, underscoring the persistent nature of the threat.
The DarkSword exploit kit, first detailed in March by researchers from Lookout, iVerify, and Google Threat Intelligence, represents a dangerous escalation in mobile threats. Unlike typical iOS exploits reserved for high-value espionage, DarkSword has been deployed in widespread campaigns. It leverages a chain of six critical vulnerabilities, tracked as CVE-2025-31277, CVE-2025-43529, CVE-2026-20700, CVE-2025-14174, CVE-2025-43510, and CVE-2025-43520, to compromise iPhones running iOS versions 18.4 through 18.7. The threat actors behind these campaigns are diverse, including the Turkish commercial surveillance vendor PARS Defense, a group tracked as UNC6748, and a suspected Russian espionage operation known as UNC6353.
Upon successful exploitation, the attacks deploy information-stealing malware onto victim devices. Google Threat Intelligence Group (GTIG) observed the deployment of three separate malware families, including a highly aggressive JavaScript-based infostealer named GhostB. This malware is designed to siphon sensitive data directly from the device. The expansion of Apple's security patch distribution is a crucial step in mitigating this active threat, protecting a larger user base that may have delayed major OS upgrades but still requires protection against critical security flaws.
This incident occurs amidst a landscape of other significant cybersecurity threats. A new service dubbed "EvilTokens" is fueling sophisticated phishing attacks aimed at stealing Microsoft device authorization codes. Google has urgently patched the fourth Chrome zero-day vulnerability exploited in the wild in 2026. The FBI has issued warnings about privacy risks associated with certain Chinese mobile applications. Furthermore, a new malware variant named CrystalRAT has emerged, combining remote access trojan (RAT) capabilities, data-stealing functions, and disruptive "prankware" features. Separately, hackers are exploiting a zero-day flaw in the TrueConf video conferencing software to push malicious updates.
For users, the imperative is clear: enable automatic updates on all devices. For those seeking to harden their systems, guidance is available on enabling Kernel-mode Hardware-enforced Stack Protection in Windows 11 and procedures for removing various types of malware, including Trojans, viruses, and worms. The DarkSword campaign is a stark reminder that even devices on older, but still supported, operating system branches are prime targets for determined adversaries, making consistent patch application a fundamental pillar of personal and organizational cybersecurity.
