Apple has put into circulation a critical security patch in iOS 18.7.7 and iPadOS 18.7.7 To contain DarkSword, an exploit chain capable of compromising iPhones and iPads simply by loading a manipulated webpage. The update primarily targets the millions of devices still running vulnerable versions of iOS 18, including many in Spain and the rest of Europe, either because they cannot or have chosen not to upgrade to iOS 26.
This is how the company reacts to The public leak of the DarkSword attack kit on the InternetThis move has set off alarm bells in the cybersecurity community. What began as targeted campaigns in specific countries has become a much broader threat, exploitable by any actor who finds an outdated iPhone or iPad lacking this new patch.
What is DarkSword and what can it do on an iPhone or iPad?
DarkSword is a A set of exploitation tools specifically designed against iOS 18.4, 18.5, 18.6, and 18.7It doesn't work like the typical scam that forces the user to install a strange app or accept several strange notices: in this case, simply visiting a website that hosts the malicious code is enough to start the attack chain.
DarkSword operators primarily use watering hole attacksThis technique involves injecting the exploit into websites created by the attackers themselves or into legitimate pages that have been previously compromised. From the user's perspective, the experience is the same as always: the page loads, the content appears, and meanwhile, the entire intrusion process may be running in the background.
Once the operation is successful, DarkSword is capable of extracting a very large set of private dataThe information mentioned in the investigations includes messages, browsing histories, geolocation data, and credentials associated with financial services and cryptocurrency apps, opening the door to fraud of all kinds.
The approach is quick and discreet: The spyware enters, collects data, and sends it to servers controlled by the attackers. in a matter of seconds, and then try to erase all traces. In many cases, the user doesn't notice anything out of the ordinary, even though their information has already left the phone or tablet and is being transferred to a remote infrastructure.
Specialized firms have indicated that DarkSword It shares an approach with previous exploit chains, such as Coruna, geared towards even older versions of iOS. In all cases, the starting point is once again WebKit, Apple's browser engine, which serves as the gateway to the rest of the operating system.
How DarkSword exploits iOS 18 vulnerabilities
The published analyses agree that DarkSword takes advantage of several zero-day vulnerabilities present in iOS 18.4 to 18.7The first phase of the attack involves executing code in the browser when the victim opens an infected web page, without them having to download anything or click on suspicious buttons.
From there, the chain links together different failures to escalate privileges within the system and access normally protected areasThis escalation is what allows us to jump from a simple browser failure to gaining access to application data, internal databases, and configuration files that, under normal conditions, would be isolated.
The extracted information is packaged and sent to servers under the control of the DarkSword operatorsThis data package can include everything from personal conversations to location patterns, which is especially sensitive when the device is used for remote work, online banking, or authentication in business services.
In the field of crypto assets, the impact may be even greater, because Most wallet apps, exchanges, and key managers are used directly from the iPhone or iPad.If an attacker manages to obtain seed phrases, private keys, or session tokens, the next logical step is to try to empty accounts or move funds without the owner's permission.
The publication of the exploit kit in public repositories has completely changed the landscape. We are no longer just talking about a few highly sophisticated groups with their own toolsbut rather any actor with a certain level of technical skill who is able to download the code, minimally adapt it, and test it against devices that are still running vulnerable versions of iOS 18.
The role of iOS 18.7.7 and iPadOS 18.7.7: a patch against the clock
Apple had been deploying defenses against chains like Coruna and DarkSword for months across different branches of its ecosystem. To cover older models, it launched, for example, iOS 15.8.7 and iPadOS 15.8.7, as well as iOS 16.7.15 and iPadOS 16.7.15, aimed at terminals that can no longer aspire to jump to the latest versions, but are still in use.
In line with iOS 18, The first wave of iOS 18.7.7 and iPadOS 18.7.7 arrived on devices that could not run iOS 26such as the iPhone XS, XS Max, XR, or the seventh-generation iPad. With this move, the company protected these devices from DarkSword without forcing an operating system upgrade.
The problem was that A very large group of users remained in no man's landThose who had phones and tablets fully compatible with iOS 26, but had chosen to remain on iOS 18 due to personal preference. Among the reasons frequently cited were a rejection of aesthetic changes such as the new "liquid crystal" interface or simply the habit of postponing major updates.
Following the proliferation of DarkSword on the internet and increased pressure from the security community, Apple confirmed to specialized media that I would backport the iOS 26 fixes to iOS 18In other words, it would bring the same protections already present in the most modern version of the system to the older branch.
In practice, this means that users who are still on iOS 18 A new security update appears, identified as 18.7.7, along with the option of migrate directly to iOS 26Apple insists that the most complete security is achieved with the current version, but offers the patched alternative for those who don't yet want to take that step.
Which devices are covered and how does this affect Spain and Europe?
The company's support documentation details that iOS 18.7.7 and iPadOS 18.7.7 are being rolled out gradually to a long list of models, many of them especially popular in the European market.
Among the phones, the update arrives at iPhone XR, iPhone XS, iPhone XS Max, all iPhone ranges: 11, 12, 13, 14, 15 and 16This also includes the second and third generation iPhone SE. In practice, this covers a large portion of the active iPhone SE in Spain, where many users extend the lifespan of their devices for several years.
In the tablet market, the patch is distributed to multiple generations of iPad, iPad Air, iPad mini and iPad ProFrom models with A16 and A17 Pro chips to versions with M2, M3, and M4 processors. These are precisely the devices that are usually used in professional and educational environments, where exposure to third-party websites is constant.
Apple points out that This is a critical security update recommended for all usersAlso remember that some of the DarkSword-related fixes had already been incorporated into iOS 26, but the release of the kit required extending the protection to those still on the 18 branch.
In Europe, and particularly in Spain, distribution is carried out in stages, although Most users should see the patch available in Settings > General > Software Update very soon.It's advisable to check manually, especially if automatic updates are disabled or restricted to Wi-Fi only.
Where have DarkSword attacks been seen and what risk does this pose to Europe?
Before the code was made public, DarkSword campaigns had been documented against users in China, Malaysia, Türkiye, Saudi Arabia, and UkraineIn those cases, the operations were quite targeted, some linked to geopolitical contexts and high-level surveillance activities.
The publication of the kit on the Internet has changed the map. When a tool of this type becomes accessible to anyone with sufficient knowledgeIt ceases to be a resource reserved for a handful of advanced groups and becomes another option for cybercriminals with economic or political motivations.
For users in Spain and the rest of the European Union, that means that It is not enough to simply not appear on the initial list of attacked countriesWeb traffic knows no borders, and an opportunistic campaign that recycles the exploit can target any region where there are enough unpatched devices to make the effort worthwhile.
The cryptocurrency sector has followed this case with particular attention because DarkSword explicitly targets data and applications linked to digital assetsA lapse in attention during an update can lead to unauthorized access to wallets, exchanges, or financial services if the attacker manages to obtain the appropriate keys or tokens.
Beyond the money, there's the theft of messages, browsing histories, and location data. It opens the door to blackmail, targeted fraud, and identity theft.You don't need to be a public figure to attract attention: it's enough that the data can be translated into economic benefit or strategic advantage for whoever exploits it.
Isolation Mode, best practices and what users should do
Along with the patch rollout, Apple has once again focused on the Lockdown Mode, an optional feature aimed at people who may be targeted by particularly sophisticated threats, such as journalists, activists, public officials or executives with sensitive information.
When activated, this mode It drastically hardens the behavior of the systemIt limits certain types of content in messaging apps, reduces the browser's attack surface, and blocks features that, under normal circumstances, could be exploited by advanced vulnerabilities. The company states that, to date, it has no record of successful intrusions with government spyware on devices with this option enabled.
For the average user, living with these restrictions all the time might seem excessive, but It might be a good idea to activate it in specific situations., such as trips to high-risk countries, sensitive work projects, or when there is a suspicion of being targeted by some type of digital surveillance.
Apart from this extra layer, the basic recommendations remain the same as always: keep the system and applications up to dateReview the permissions granted to each app, be wary of links and websites of dubious origin, and avoid installing software from outside official channels. With DarkSword now in circulation, the immediate priority is ensuring that no iPhone or iPad misses out on the iOS 18.7.7 bug fixes or, if applicable, the iOS 26 update.
In a context like Spain, where mobile phones have become the main tool for banking, online shopping, and communications, Delaying a critical update for aesthetic or habitual reasons can be costlyAlthough the device is not used to handle cryptocurrencies, the amount of personal and professional data it stores is enough to make it an attractive target.
In the end, the arrival of iOS 18.7.7 and iPadOS 18.7.7 shows how A public leak like the one for DarkSword can accelerate a manufacturer's security timelines.Apple has chosen to extend its defenses even to those who had decided to stay on iOS 18, importing protection mechanisms already present in iOS 26. For iPhone and iPad users in Spain and the rest of Europe, the message is clear: check which version of the system you have installed, apply the patch without delay, and, for those with more vulnerable profiles, seriously consider using Isolation Mode and adopting stricter security practices on a daily basis.
