Apple has begun rolling out un key security patch in iOS 18.7.7 and iPadOS 18.7.7 to stop DarkSwordA suite of attack tools that exploits system vulnerabilities to take control of iPhones and iPads simply by loading a webpage. The company is thus expanding coverage to millions of devices still running vulnerable versions of iOS 18, including many in Europe and Spain.
The move comes after The DarkSword code was leaked publicly on the InternetThis has sparked concern among researchers and manufacturers. What began as a campaign targeting certain countries has become a potential risk for any user who keeps their mobile phone or tablet from being updated.
What is DarkSword and why is it so sensitive?
DarkSword is a exploit kit targeting iPhone and iPad that chains several Zero-day vulnerabilities in iOS 18.4 to iOS 18.7Unlike other more classic attacks, it does not require installing strange applications or clicking on multiple windows: simply visiting a website that hosts the malicious code is enough.
The attacks use a technique known as watering holeAttackers infect pages they've created or previously compromised legitimate sites, so the browser itself becomes the entry point. The user only sees the page load, but the entire exploit chain may be running in the background.
Once the intrusion is successful, DarkSword is capable of extracting a considerable volume of private informationAmong the data mentioned by the investigations are messages, browsing history, device location, and even credentials and content linked to cryptocurrency applications and financial services.
This rapid "hit and run" approach, in which the system is compromised, data is exfiltrated in seconds, and then traces are removed, This complicates detection and forensic analysis on affected devices.The user may not notice anything unusual in their day-to-day life, even though their information has already left the device.
According to various technical sources, DarkSword shares an actor and approach with other exploit chains such as Coruna, targeting earlier versions of iOS (13 to 17.2.1). In both cases, the attack starts with vulnerabilities in WebKit, Apple's browser engine, and from there escalates to the rest of the system.
How DarkSword exploits vulnerable versions of iOS 18
The published analyses suggest that DarkSword exploits up to half a dozen serious vulnerabilities in iOS 18.4, 18.5, 18.6 and 18.7The first step is usually an exploit in the browser that allows arbitrary code to be executed when a compromised page is loaded.
From that point on, the chain of attack privilege escalation within the operating system This allows an attacker to access processes and data that would normally be isolated. In this way, the attacker can read private content, access internal application databases, or extract configuration files.
The stolen data is automatically sent to servers controlled by the operators of DarkSwordThe information package can include everything from personal conversations to location patterns, which is especially sensitive if the device is used for work, online banking, or authentication in business services.
In the realm of cryptocurrencies, the potential impact is even greater: many wallet apps, exchanges, and key managers They are used directly from the iPhone or iPadIf an attacker manages to extract seed phrases, private keys, or session tokens, the next step may be emptying accounts and wallets.
The leak of the exploit in public repositories like GitHub has changed the scenario. We are no longer just talking about highly sophisticated groups with their own resources.but from any actor who is able to download the code, minimally adapt it and test it against devices that are still on older versions of iOS 18.
What Apple has done: the role of iOS 18.7.7 and iPadOS 18.7.7
Apple had been making moves against Coruna and DarkSword for some time in different branches of its operating system. To cover older computers, it released, for example, iOS 15.8.7 and iPadOS 15.8.7 (for iPhone 6s, iPhone 7, first-generation iPhone SE, iPad Air 2, iPad mini 4, and seventh-generation iPod touch) and iOS 16.7.15 and iPadOS 16.7.15 (for iPhone 8, 8 Plus, X and certain iPad Pro and fifth-generation iPads).
In the iOS 18 branch, Patch 18.7.7 was initially released for models that could not run iOS 26such as the iPhone XS, XS Max, XR, or the seventh-generation iPad. These devices were thus protected against DarkSword despite not being able to upgrade to the latest version of the system.
The problem is that A large group of users remained in limboThose who owned mobile phones and tablets capable of updating to iOS 26, but had chosen not to. Among the reasons given were a rejection of aesthetic changes such as the "liquid crystal" interface or simply the habit of postponing major updates.
Following the release of DarkSword online, Apple confirmed to specialized media outlets such as Wired that This would expand the availability of a patched version of iOS 18 to more devices.. This revision incorporates into iOS 18 the same protections that were already present in iOS 26 against the exploit.
In practice, users who do not have automatic updates enabled will encounter two paths: Install the new, fixed version of iOS 18 or upgrade to iOS 26, which integrates an additional layer of security enhancements and system hardening.
Devices covered and scope of the update
According to Apple's support documentation, iOS 18.7.7 and iPadOS 18.7.7 They have been progressively enabled for a long list of iPhone and iPad models, many of them still very present in the European market.
Among the phones, the update includes iPhone XR, iPhone XS, iPhone XS Max, the various iPhone 11 models, iPhone 12, iPhone 13, iPhone 14, iPhone 15, iPhone 16 and iPhone 16eas well as the second and third generation iPhone SE. That is, a large part of the stock of devices still active in Spain and other countries of the European Union.
On the tablet side, the list includes Fifth-generation iPad mini with A17 Pro chip, seventh-generation iPad with A16, various generations of iPad Air (from the third to the fifth and the new 11- and 13-inch models with M2 and M3)as well as the 11-inch iPad Pro from the first generation through the M4 and the more recent 12,9-inch and 13-inch iPad Pro.
Apple emphasizes that The update is considered a critical security fix and is recommended for all users.The company also notes that the first patches related to DarkSword were sent back in 2025, but that it was necessary to expand the scope due to the release of the exploit kit.
In Europe, the distribution of iOS 18.7.7 is being carried out in stages, but Most users should see it available in Settings > General > Software Update within a few hours since its release. It's advisable to check manually, especially if automatic installation is disabled.
Global impact of DarkSword and risk to users in Europe
Before the kit was publicly leaked, DarkSword campaigns had been identified in countries such as China, Malaysia, Türkiye, Saudi Arabia, and Ukraine.The targets appeared to be highly selective, in some cases linked to sensitive geopolitical contexts.
However, when the code for a tool of this type ends up on the Internet, Borders cease to be a real obstacleAny actor with economic or political motivations may attempt to reuse the exploit, adapt it, and launch it against victims in other markets, including the European Union.
For users in Spain and the rest of Europe, this means that Not being on the initial list of attacked countries is no lifelineIf you frequently browse third-party websites, use financial services from your mobile phone, or manage cryptocurrencies, the risk increases if the device remains unpatched.
The crypto sector, in particular, has closely followed this case because of DarkSword It explicitly targets wallet applications and other services linked to digital assets.A lapse in an update can result in direct financial losses if an attacker gains access to authentication keys or tokens.
In addition, the theft of messages, browsing histories, and location data. It opens the door to blackmail campaigns, targeted fraud, or identity theft.You don't need to be a public figure to attract the attention of groups that make a living by exploiting personal information on a massive scale.
Isolation Mode, safety habits and practical recommendations
Along with the patch, Apple has once again focused on the Lockdown Mode, an optional feature designed for people who may be targeted by advanced threats: journalists, activists, public officials or profiles with high strategic value.
This mode drastically hardens the system's behavior: It limits certain types of content in messages, reduces the browser's attack surface, and blocks features that could be exploited.The company claims to have no record of successful intrusions with spyware government-issued devices that had Isolation Mode enabled.
For the average user, it may not be necessary to live permanently at that level of restriction, but It can be a reasonable option for sensitive travel, sensitive work environments, or for people who suspect a specific risk.Isolation Mode is available from iOS 16, iPadOS 16, watchOS 10 and macOS Ventura, with additional protections from iOS 17 and equivalent.
Beyond that extra layer, the basic security guidelines still apply: Keep your system and applications up to date, be wary of suspicious links, avoid websites of dubious origin, and review the permissions granted to each app.With DarkSword, the immediate priority is to ensure that no iPhone or iPad is left behind in terms of patches.
In the specific case of Europe and Spain, where mobile phones are already the main tool for banking, shopping and communications, postponing a critical update for aesthetic or habitual reasons It can be expensive. Even if the device isn't used for cryptocurrencies, the amount of data it handles is enough to make it a tempting target.
In the end, the rollout of iOS 18.7.7 and iPadOS 18.7.7 shows how A public leak like the one from DarkSword can force an acceleration of security timelines. from a manufacturer. Apple has chosen to extend protection even to those who had decided to stay on iOS 18, importing defenses that were already present in iOS 26. For iPhone and iPad users in Spain and the rest of Europe, the message is clear: check your system version, install the patch without delay, and, for more sensitive users, seriously consider using Isolation Mode and good security practices on a daily basis.
