Apple releases security update for older iPhones and iPads to counter DarkSword exploit

The DarkSword Exploit: A Sophisticated Threat

Apple issued critical security updates for older iPhones and iPads running iOS 18.7.7 and iPadOS 18.7.7 to address the DarkSword exploit, a sophisticated hacking toolkit capable of extracting sensitive data from compromised devices. The update resolves vulnerabilities exploited by DarkSword, which has been used in targeted attacks in Malaysia, Saudi Arabia, Turkey, Ukraine, and China. Apple’s decision to apply these patches to older devices, despite their incompatibility with the latest iOS version, represents a notable shift in its security patching strategy. This follows similar actions earlier this month to address the Coruna exploit, highlighting the escalating threat from advanced malware targeting iOS users.

Technical Breakdown of the Exploit

The DarkSword exploit, first identified by Lookout Threat Labs in late 2025, is a full-chain iOS exploit leveraging six zero-day vulnerabilities to enable remote code execution (RCE) and privilege escalation on devices running iOS 18.4 to 18.6.2. According to Google Threat Intelligence Group (GTIG), the exploit chain has been adopted by multiple threat groups, including commercial surveillance vendors and state-sponsored actors. The toolkit’s availability on GitHub has increased its accessibility, enabling financially motivated hackers to deploy it against unsuspecting users.

“According to Google Threat Intelligence Group (GTIG), the exploit chain has been adopted by multiple threat groups, including commercial surveillance vendors and state-sponsored actors.”

DarkSword operates as a JavaScript-based exploit chain that exploits multiple iOS vulnerabilities to execute malicious code and exfiltrate sensitive data. The exploit chain includes several critical zero-day vulnerabilities, including CVE-2025-31277 (JavaScriptCore memory corruption) and CVE-2025-43529 (JavaScriptCore garbage collection bug), which were patched in iOS 18.6 and iOS 18.7.3. The exploit also utilizes CVE-2025-14174 (ANGLE) to escape sandboxed environments and CVE-2025-43510 (XNU memory management) to escalate privileges to the kernel. Once compromised, attackers can access data such as messages, browser histories, location data, and cryptocurrency wallets, which are exfiltrated via command-and-control (C2) servers.

Exploit Design and Detection Challenges

The exploit’s design allows attackers to maintain a low dwell time, reducing the risk of detection. After data extraction, the malware cleans up its traces, leaving minimal evidence of the breach. This makes DarkSword particularly dangerous, as it can be used in both targeted espionage campaigns and large-scale financial attacks. Apple’s Lockdown Mode is said to defend against DarkSword attacks, though the company stated it is unaware of successful government spyware attacks on devices using this feature.

Threat Actor Activity and Indicators

The use of DarkSword has been linked to several threat actors, each employing the exploit for different purposes. According to GTIG, the exploit has been used in campaigns targeting Saudi Arabia, Turkey, Malaysia, and Ukraine since November 2025. Specific network indicators of compromise (IOCs) include domains like static.cdncounter[.]net and sqwas.shapelie[.]com, which have been associated with malicious infrastructure used in attacks. These domains hosted iframes delivering the exploit, often through compromised websites.

Detection and Mitigation Strategies

YARA rules and indicators of compromise (IOCs) are provided for detection, including network and file artifacts. For example, malicious files such as rce_loader.js, pe_main.js, and sbx0_main_18.4.js have been identified as part of the exploit chain. These artifacts are critical for security teams to detect and mitigate DarkSword-related attacks. The exploit’s accessibility via GitHub and phishing campaigns has raised concerns, as it allows attackers to target users with older iOS versions.

Apple’s Security Strategy and User Considerations

Apple’s decision to backport security patches for iOS 18 users reflects a growing recognition of the risks posed by advanced exploits like DarkSword. The company’s latest update, iOS 18.7.7, enables users who cannot upgrade to the latest iOS version to receive critical fixes without abandoning their current operating system. This is particularly relevant for users who resist upgrading due to disliked features like the ‘liquid glass’ interface or compatibility issues with custom apps. Apple also noted that users with auto-update enabled will receive the patch automatically, ensuring broader coverage.

Balancing Security and User Experience

Critics argue that Apple’s delay in backporting fixes for iOS 18 left users vulnerable for weeks, despite the growing threat. This delay highlights a long-standing debate about the balance between security and user experience. While Apple has historically avoided backporting patches to newer iOS versions, the widespread use of DarkSword and Coruna has forced the company to adopt a more proactive stance. Analysts warn that forcing users to upgrade to the latest iOS version risks leaving many unprotected, emphasizing the need for broader security strategies beyond software updates.

Broader Implications for Mobile Cybersecurity

The proliferation of exploits like DarkSword underscores the evolving landscape of mobile cybersecurity. As sophisticated malware becomes more accessible, the risk to users of older devices increases, particularly those running outdated operating systems. Apple’s response—while commendable—highlights the limitations of relying solely on software updates to mitigate threats. Users must also adopt additional security measures, such as enabling Lock Screen, using Safe Browsing features, and avoiding phishing campaigns.

For organizations, the DarkSword incident serves as a reminder of the importance of rapid OS updates and robust threat detection systems. The exploit’s use by both commercial and state-sponsored actors demonstrates the potential for advanced malware to be weaponized for financial and espionage purposes. As Google’s GTIG notes, the widespread adoption of DarkSword reflects a secondary market for advanced exploits, enabling a diverse range of actors to deploy sophisticated attacks. In this context, collaboration between tech companies, governments, and cybersecurity firms will be critical to mitigating the risks posed by such threats.