Apple hardly ever blinks. That’s just the way the business runs; it’s neither a compliment nor a criticism. For many years, the only option for getting security updates for your iPhone was to either accept the risk or update to the version that Apple recommended.
No compromise, no exceptions, and no compromise. Therefore, it was worthwhile to pause and consider why Apple silently released an emergency update for iOS 18 devices in early April—devices that Apple had essentially stopped patching months earlier.
| Category | Details |
|---|---|
| Topic | Apple iOS 18 DarkSword Emergency Security Patch |
| Affected Software | iOS 18.7.7 (Build 22H340) |
| Threat Name | DarkSword Exploit Chain |
| Threat Type | Privilege escalation malware; no device rooting required |
| Devices Primarily Affected | iPhones running iOS 18 (not yet upgraded to iOS 26) |
| Patch Release Date | April 1, 2025 |
| DarkSword GitHub Leak Date | March 22, 2025 |
| Related Threat | Coruna exploit kit (23 vulnerabilities, iOS 13–17.2.1) |
| Threat Actor Observed | TA446 (spoofed Atlantic Council phishing campaign) |
| Security Researcher Quoted | Rocky Cole, co-founder, iVerify; Justin Albrecht, Lookout |
| Apple’s Usual Policy | Security patches only for latest iOS version or legacy-only devices |
| Why This Patch Was Unusual | Extended to all iOS 18 users, not just older incompatible hardware |
| iOS 26 Adoption Rate | Approximately 75% of Apple devices from the last four years |
| Apple’s Recommendation | All compatible users should update to iOS 26 or iPadOS 26 |
DarkSword is the solution. A hacking tool so serious that something changed at Cupertino when its code appeared on GitHub on March 22. In a matter of days, Apple did something it hardly ever does: it applied a security patch retroactively to users who hadn’t updated to iOS 26, despite the fact that Apple believed those users had chosen to expose themselves by not upgrading.
It seems that Apple resisted this action for as long as it could. On March 24, the company released a patch for older devices that were physically unable to run iOS 26, such as the iPhone XS and XR, which were intentionally stuck at iOS 18.7.7.
The company had already patched DarkSword in iOS 26 months earlier. However, those in the middle, who were using iOS 18 on perfectly good hardware but had just decided not to upgrade, received nothing. They were alone for about a week.
On April 1, Apple made the patched version of iOS 18.7.7 (build number 22H340) available to all users, not just those with legacy hardware. It appeared as an automatic update. There was no press release, no announcement, and no actual fanfare. Just a subtle change of direction that probably said more than Apple had intended.
It’s not only what DarkSword does that is truly unsettling, but also how it does it. DarkSword does not root the device, in contrast to Coruna, the other devastating exploit kit that had dominated security news a few weeks prior. This distinction is more important than it may first appear. DarkSword “inherits the privileges of the processes” instead of completely taking over the device, according to Rocky Cole, co-founder of iVerify and someone who obviously gives this careful thought.
Without setting off the kind of root-detection systems that a more aggressive attack might, it gains just enough access to reach processors with deep system-level reach. In some respects, this makes it more difficult to identify and possibly more hazardous than something that is louder and more noticeable.
When DarkSword landed on GitHub while a sizable percentage of iPhone users were still unpatched, it created a different kind of issue. Coruna had arrived first, and it was disastrous in and of itself—a kit that could move through SMS contacts and spread like wildfire, something Cole describes as “the closest thing to a catastrophic endpoint attack Apple has really ever seen on an iPhone.”
There was a considerable amount of time between public exposure and the patch’s availability. Cole refers to it as “a crisis,” and it’s difficult to disagree with him given that GitHub effectively gave the world’s cybercriminals a ready-to-use exploit kit that targets tens of millions of devices.
Campaigns utilizing DarkSword have already been seen in the wild, according to Lookout’s Justin Albrecht. One such campaign was a phishing operation attributed to TA446 that used email to pose as the Atlantic Council. Some campaigns seemed to be actors merely testing the malware to see what it could do in their hands, while others appeared to be unattributed.
Anyone who manages devices professionally should find it unsettling that exploitation was already occurring while millions of iOS 18 users lacked a patch.
This raises an issue that has been quietly bothering enterprise security teams for years: what happens to users who are required by corporate IT policy to remain one version behind? The patching cadence known as “n-minus-one” is not uncommon. It exists because companies need time to test updates before deploying them to the entire fleet in order to prevent disrupting internal workflows or tools.
Under normal conditions, this policy makes sense. However, when a company such as Apple determines that users on older but supported operating systems are not eligible for emergency patches, it creates a structural vulnerability.
“If the patches aren’t being backported to all versions, how are you supposed to defend yourself?” Cole asks in a tone of restrained annoyance. It’s a reasonable question with no obvious solution. It was a relief when Apple extended the DarkSword patch, but it wasn’t until a serious exploit on an open platform was made public. That is more of a response than a policy.
It’s still unclear if Apple will formally alter how it responds to similar circumstances in the future. The business hasn’t made any public comments about changing how it backports security patches, and given Apple’s reputation, it most likely won’t. It’s more likely that this will add to the growing body of evidence among security experts that patching, even from Apple, isn’t enough infrastructure to protect contemporary devices.
The proximity of the DarkSword and Coruna episodes raises important questions about the current threat landscape: the market for advanced iPhone exploit tools seems to be expanding, prices are declining, and the distinction between “nation-state attack” and “criminal campaign” is closing more quickly than most people realize.
For the time being, if you’re still using iOS 18 and your iPhone recently received a silent automatic update, it probably matters more than it first seemed. It is worthwhile to investigate. Furthermore, it is plausible that the trade-off has shifted if you have been delaying iOS 26 due to habit or personal preference.
