Apple Breaks Precedent, Patches DarkSword for iOS 18

ENDPOINT SECURITY MOBILE SECURITY VULNERABILITIES & THREATS CYBER RISK NEWS Apple Breaks Precedent, Patches DarkSword for iOS 18 Even organizations with users unwilling or unable to adopt iOS 26 can now protect themselves from a severe mobile OS-cracking tool. Nate Nelson,Contributing Writer April 3, 2026 5 Min Read SOURCE: JENYA VIA ALAMY STOCK PHOTO After some delay, Apple has patched the vulnerabilities associated with the DarkSword exploit chain for all affected customers, even those who aren't updated to iOS 26 — a boon for organizations trying to get users updated to a new version all at once, and for those with patch management policies that preclude such updates. When sufficiently serious vulnerabilities are unearthed in Apple devices, Apple is generous enough to offer patches both to users running its latest operating system (OS), as well as users whose devices are too old to run that new OS, as applicable. Last year, for instance, when researchers uncovered a US government-grade exploit kit called Coruna — with five different exploit chains spanning 23 vulnerabilities in iOS versions 13 to 17.2.1 — Apple went back and distributed a patch to all those affected, including those whose phones were un-updatable. Typically, though, there has been one group left out of the patch party: customers whose devices are capable of upgrading to the newest OS, but who either choose or are forced not to. For example, many iPhone users have resisted upgrading from iOS 18 to iOS 26 (which, despite the numbers, happen to be consecutive versions), because of the user experience (UX) changes. Others have work phones that are mandated to be one update behind the patch cycle. This collective group has been left out in the cold both when Apple initially fixed the DarkSword exploit chain in iOS 26 last year, and when it pushed a fix to pre-iOS 18 devices that couldn't update to iOS 26 on March 24. The iOS 18 aficionados could choose to upgrade, or stick with what they prefer and sacrifice their security. Related:CrowdStrike Next-Gen SIEM Can Now Ingest Microsoft Defender Telemetry That stance lasted only about a week, though. DarkSword leaked to GitHub on March 22, as Dark Reading reported, and with the whole cybercriminal world privy to such a powerful hacking tool, Apple relented, extending the fix to those stubborn or unlucky iOS 18 users on April 1. Justin Albrecht, principal researcher at Lookout, praises the move. In fact, he adds, "Apple has taken multiple unprecedented steps on iOS to counter DarkSword and Coruna, to include the backported patches, alert notifications to susceptible devices and published threat guidance on Web-based attacks. This speaks to the level of threat that malware like DarkSword poses, and if Apple is taking this so seriously then users should as well." DarkSword's Severity Forced Apple's Hand In some ways, the severity of the DarkSword problem was overshadowed by the Coruna kit having been publicly disclosed earlier the same month. Related:Venom Stealer MaaS Platform Commoditizes ClickFix Attacks Coruna is devastating, utilized by dangerous threat actors, and evidence suggested that it had originally been developed by a US military contractor. "It could do command-and-control (C2) over SMS, so all you have to do is make one modification to take contacts from the contacts list and blast out text messages with links, and you've got yourself wormable malware," explains iVerify co-founder Rocky Cole. "So I think that's why they moved so quickly [to patch]. It was the closest thing to a catastrophic endpoint attack Apple has really ever seen on an iPhone." DarkSword was revealed to the public two weeks after Coruna, and by that point it was largely reported as an extension of the Coruna story. In his view, though, DarkSword never should have been second fiddle.  "In some ways it's more pernicious, because it didn't root the device," Cole explains. "Coruna rooted. So presumably, if you were doing root detection, you stood a chance of maybe seeing Coruna. But DarkSword doesn't root, it just inherits the privileges of the processes. It gets just enough privilege escalation to access processors that too have Ring 0 access. So in that regard, I think it's actually much harder to detect." Related:The Forgotten Endpoint: Security Risks of Dormant Devices He adds: "The fact that a significantly greater number of people were using iOS 18 than iOS 17 [the latest version impacted by Coruna], combined with the fact that it was published on GitHub while there weren't backported patches available — to me that's a crisis, and I would have expected faster action." DarkSword was already being passed around by surveillance-ware customers, but especially since it leaked online, Lookout's Albrecht reports, "We’ve observed a handful of campaigns being conducted with the malware, to include [an] email phishing campaign conducted by TA446 which spoofed the Atlantic Council. The other campaigns observed appear to be unattributed criminal campaigns which we have been unable to link to a specific group, as well as multiple instances of apparent testing of the malware for unknown purposes." The Cyber Risk Story Is Over (For Now) Cole views Apple's handling of the DarkSword updates as a risk for enterprises. "There was a pretty significant gap there between when these vulnerabilities were exposed to the open Internet and put on GitHub, and when there was a patch issued," he says. He's also quick to point out that, while many iPhone users choose not to upgrade their OS due to personal preferences, a lot of people have to stay behind because of corporate policies. For them, Apple's resistance to patching all devices everywhere is an inescapable burden.  "Let's say you are a business user and your IT department says you have to use what's called an n-minus-one patching cadence, which means you can only use a version that's one version behind — what are you supposed to do in that situation?" he says. "If the patches aren't being backported to all versions, how are you supposed to defend yourself? To me, this just fundamentally challenges the notion that a patching-only strategy is going to be good enough going forward," he argues. At this point, all users willing to and capable of updating their Apple devices will be clear of both DarkSword and Coruna, but the next thing is surely percolating out there, somewhere. "What I think Dark Sword and Coruna together show is that the market for n-day iOS exploit kits is exploding," Cole warns. "The price has really rapidly fallen, and though DarkSword and Coruna are now fully patched, it does raise the question of how many more of these kits are out there and what's going to be next." About the Author Nate Nelson Contributing Writer Nate Nelson is a journalist and scriptwriter. He writes for "Darknet Diaries" — the most popular podcast in cybersecurity — and co-created the former Top 20 tech podcast "Malicious Life." Before joining Dark Reading, he was a reporter at Threatpost. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports AI SOC for MDR: The Structural Evolution of Managed Detection and Response Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report Gartner IGA Voice of the Customer 2026 Cybersecurity Forecast 2026 Access More Research Webinars Identity Maturity Under Pressure: 2026 Findings and How to Catch Up Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN More Webinars You May Also Like ENDPOINT SECURITY eSIM Bug in Millions of Phones Enables Spying, Takeover by Nate Nelson, Contributing Writer JUL 10, 2025 ENDPOINT SECURITY We've All Been Wrong: Phishing Training Doesn't Work by Nate Nelson, Contributing Writer JUL 01, 2025 ENDPOINT SECURITY Attackers Lace Fake GenAI Tools With Malware by Alexander Culafi, Senior News Writer, Dark Reading MAY 12, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 Editor's Choice CYBERSECURITY OPERATIONS RSAC 2026: AI Dominates, But Community Remains Key to Security byKristina Beek,Rob Wright APR 2, 2026 CYBERATTACKS & DATA BREACHES Not Toying Around: Hasbro Attack May Take 'Weeks' to Remediate byNate Nelson APR 2, 2026 3 MIN READ ENDPOINT SECURITY CrowdStrike Next-Gen SIEM Can Now Ingest Microsoft Defender Telemetry byJeffrey Schwartz APR 3, 2026 3 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Identity Maturity Under Pressure: 2026 Findings and How to Catch Up WED, MAY 6,2026 AT 1PM EST Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST More Webinars White Papers How Sunrun Transformed Security Operations with AiStrike Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity Explore More White Papers BLACK HAT ASIA | MARINA BAY SANDS, SINGAPORE Experience cutting-edge cybersecurity insights in this four-day event featuring expert Briefings on the latest research, Arsenal tool demos, a vibrant Business Hall, networking opportunities, and more. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass. GET YOUR PASS GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE