Apple on Wednesday expanded iOS 18.7.7 and iPadOS 18.7.7 to more iPhones and iPads to help protect users from web attacks tied to the DarkSword exploit kit, including devices that can move to iOS 26 but are still on older software.
KEY FACTS
- Scope The update now covers a broader set of iPhones and iPads, including iPhone XR through iPhone 16e and multiple iPad Air and iPad Pro models.
- Initial release Apple first shipped iOS 18.7.7 and iPadOS 18.7.7 on March 24, 2026, but only for a smaller group of older devices.
- Threat DarkSword has been used in attacks since July 2025 and targets iOS and iPadOS versions from 18.4 through 18.7.
- Attack method The exploit chain can trigger when a user visits a compromised website in a watering hole attack.
The company said the wider rollout was enabled on April 1 so users with Automatic Updates turned on can receive the security fixes without moving to the latest operating system. Users without auto-update enabled can choose the patched iOS 18 build or update to iOS 26.
The report said the fixes tied to DarkSword first shipped in 2025. Apple had already urged owners of older devices to install iOS 15.8.7, iPadOS 15.8.7, iOS 16.7.15 and iPadOS 16.7.15 to address some of the same exploit chains used in DarkSword and another kit called Coruna.
Security researchers said the kit has been used against users in Saudi Arabia, Turkey, Malaysia and Ukraine. Once launched, the attacks have deployed backdoors and a data stealer for persistent access and information theft, and a newer version has since been leaked on GitHub.
Apple has also begun sending Lock Screen notifications to devices running older versions of iOS and iPadOS to warn about web-based attacks and prompt installation of the latest updates.
WHY IT MATTERS
The expanded support gives more users a way to install security patches without a full operating system upgrade, which can matter for older devices that remain in use. It also shows that exploit kits aimed at iPhones and iPads continue to be actively reused and adapted by multiple threat actors.