Here is a full breakdown of what DarkSword is, who is behind it, which devices are at risk, and what you must do right now.
What Is DarkSword?
DarkSword is a sophisticated exploit kit — a packaged collection of zero-day vulnerabilities — specifically engineered to target Apple devices running iOS and iPadOS. What separates it from typical mobile threats is its delivery method: a technique called a watering hole attack.
Instead of sending phishing emails or tricking users into downloading malicious apps, attackers using DarkSword quietly inject malicious code into legitimate, well-known websites. When a vulnerable iPhone or iPad visits one of these compromised pages, the exploit fires automatically in the background. The user sees and feels nothing. By the time they close the browser tab, a backdoor may already be installed on their device, and a dataminer may have begun quietly copying their messages, credentials, photos, and private files.
This is what security researchers call a zero-click attack — the most dangerous class of mobile exploit in existence.
How Long Has This Been Going On?
According to research published jointly by Google Threat Intelligence Group (GTIG), iVerify, and Lookout, DarkSword has been actively deployed in cyberattacks since July 2025 — nearly nine months before Apple issued a broad public patch. Confirmed target regions include:
- 🇸🇦 Saudi Arabia
- 🇹🇷 Turkey
- 🇲🇾 Malaysia
- 🇺🇦 Ukraine
The kit targets devices running iOS 18.4 through iOS 18.7 — a range that covered the majority of up-to-date iPhones for most of 2025.
Who Is Using DarkSword?
This is where the story escalates significantly. DarkSword is not the tool of a single group — it has spread across multiple threat actors, including nation-state-level adversaries.
COLDRIVER (TA446) — Russia-Linked
Security firms Proofpoint and Malfors revealed that a Russia-linked advanced persistent threat group known as COLDRIVER (also tracked as TA446) has weaponised DarkSword to deliver a data-stealing malware called GHOSTBLADE. COLDRIVER is assessed to have ties to Russian military intelligence and has historically focused on credential harvesting and phishing. Their pivot to mobile zero-day exploitation marks a dangerous escalation in their capabilities.
Their confirmed targets using GHOSTBLADE include:
- Government ministries and defence organisations
- Financial institutions
- Academic think tanks
- Higher education institutions
- Legal entities
The GitHub Leak Problem
Making matters significantly worse, a newer version of the DarkSword kit was leaked publicly on GitHub. What was once a tool limited to well-resourced nation-state actors is now potentially accessible to a far wider range of cybercriminals. Security experts warn this could trigger a wave of opportunistic mass exploitation targeting everyday users, not just high-value government or corporate targets.
Apple's Unprecedented Response
Apple's handling of DarkSword has been as noteworthy as the threat itself — because the company broke from its own established norms to address it.
Timeline of Apple's Actions
- 2025 (undisclosed date): Apple quietly ships initial fixes for the DarkSword vulnerabilities inside regular iOS updates, without public acknowledgment.
- March 24, 2026: Apple releases iOS 18.7.7 and iPadOS 18.7.7 — but only for iPhone XS, iPhone XS Max, iPhone XR, and iPad 7th generation.
- Late March 2026: Apple begins pushing Lock Screen security notifications to iPhones and iPads still running older, unpatched versions of iOS — an unusual mass consumer alert.
- April 1, 2026: Apple expands iOS 18.7.7 to virtually its entire modern device fleet — a move described by security researchers as a significant and rare departure from Apple's standard policy of requiring users to upgrade to the latest OS version to receive critical patches.
An Apple spokesperson confirmed to WIRED that the expansion was specifically intended to help devices "stay protected" without forcing a full OS upgrade. Users without automatic updates enabled can now choose between updating to the patched version of iOS 18 or jumping directly to iOS 26.
Which Devices Are Now Patched?
If your device is on the list below and you have not yet updated, do it now.
iPhone
- iPhone XR, iPhone XS, iPhone XS Max
- iPhone 11 (all models)
- iPhone SE (2nd generation and 3rd generation)
- iPhone 12, 13, 14, 15, 16 (all models)
- iPhone 16e
iPad
- iPad mini 5th generation (A17 Pro)
- iPad 7th generation (A16)
- iPad Air 3rd, 4th, and 5th generation
- iPad Air 11-inch (M2 and M3)
- iPad Air 13-inch (M2 and M3)
- iPad Pro 11-inch (1st generation through M4)
- iPad Pro 12.9-inch (3rd through 6th generation)
- iPad Pro 13-inch (M4)
Apple also separately pushed patches for older devices that cannot run iOS 18 — specifically iOS 15.8.7, iPadOS 15.8.7, iOS 16.7.15, and iPadOS 16.7.15 — to cover some of the same vulnerabilities exploited by DarkSword and a related kit called Coruna.
Why This Matters Beyond the Patch
The DarkSword situation raises uncomfortable questions that go well beyond a single software update.
iPhone Security Was Never Impenetrable
For years, Apple's marketing has positioned the iPhone as the gold standard for consumer privacy and security. DarkSword is a stark reminder that no platform is immune. Approximately 20% of iPhone users were still running an unpatched iOS version as of the patch rollout — representing hundreds of millions of potentially vulnerable devices worldwide.
The Exploit Market Is Growing
Rocky Cole, co-founder and COO of iVerify, put it plainly: "The fact is that patching is too little too late when 0-days are involved, and the exploit market is booming." Commercial spyware vendors and exploit brokers are selling zero-day access to iOS devices for millions of dollars. DarkSword demonstrates that powerful iPhone exploits may be far more widespread than previously understood, and that they are increasingly being shared — or leaked — across multiple criminal and state-sponsored groups simultaneously.
Apple's Backporting Decision Sets a New Precedent
Traditionally, if you wanted the latest security fixes from Apple, you had to accept the latest operating system — a policy that served as both a security mechanism and a product upgrade driver. By allowing iOS 18 users to patch a critical vulnerability without upgrading to iOS 26, Apple has acknowledged that the severity of DarkSword warranted an exception. Whether this becomes standard practice for future critical vulnerabilities remains to be seen.
What You Should Do Right Now
The steps below are listed in order of priority:
- Update immediately. Go to Settings → General → Software Update. Install iOS 18.7.7 or iOS 26 if prompted. Do not delay.
- Enable Automatic Updates. Go to Settings → General → Software Update → Automatic Updates. Turn on both Download and Install iOS Updates.
- If you have an older device (iPhone 6s era, iPad mini 4, etc.), check for iOS 15.8.7 or iOS 16.7.15 in your Software Update settings.
- If you are a high-risk user — journalist, activist, government employee, legal or financial professional — consider enabling Lockdown Mode (Settings → Privacy & Security → Lockdown Mode). It significantly reduces the attack surface available to sophisticated exploit kits.
- Take Lock Screen alerts seriously. If you see a security notification from Apple on your Lock Screen, act on it immediately. These are not routine prompts.
The Bottom Line
DarkSword is not a theoretical threat. It has been actively used in real-world espionage operations for nearly a year, it has been adopted by a Russian military intelligence affiliate, and a newer version of the kit is now freely circulating online. The window between a vulnerability being discovered and it being weaponised by mass criminal actors is shrinking.
Apple's response — however unprecedented — cannot undo nine months of exposure. What it can do is close the door going forward. But only if you actually install the update.
In the modern threat landscape, keeping your phone updated is no longer just good hygiene. It is a basic act of digital self-defence.
Google Threat Intelligence Group (GTIG), iVerify, Lookout, Proofpoint, Malfors, Apple Security Advisories, The Hacker News, WIRED. Published April 2026.
