After a brief delay, Apple has addressed the vulnerabilities associated with the DarkSword chain for all affected customers, including those who have remained on iOS 18 rather than updating to iOS 26. This release is a significant benefit for organizations managing large device fleets, particularly those enforcing n-minus-one patch management policies that require users to stay one version behind the latest release.
When researchers identify severe vulnerabilities in Apple devices, the company historically provides updates for the latest operating system (OS) and for older devices that lack the hardware to support the new software. For example, when researchers analyzed Coruna, a sophisticated vulnerability framework comprising five distinct sequences across 23 vulnerabilities in iOS versions 13 to 17.2.1—Apple distributed updates to all affected hardware, including older, un-updatable models.
However, users whose devices are capable of upgrading to the newest OS, but who remain on an older version due to corporate mandates or user experience preferences, typically fall outside this support window. For instance, many users have stayed on iOS 18 rather than adopting iOS 26 (which are consecutive major versions in this release cycle). When Apple initially addressed the DarkSword sequence in iOS 26 last year, and subsequently pushed a fix for un-updatable pre-iOS 18 devices on March 24, iOS 18 users faced a difficult choice: execute a full OS upgrade or accept the known security risk.
This posture shifted after the DarkSword methodology was published to GitHub on March 22. With the tooling publicly accessible to unauthorized parties, Apple extended the security update to iOS 18 devices on April 1, providing a necessary safeguard for these remaining users.
Justin Albrecht, principal researcher at Lookout, views the update as a positive shift for user protection. "Apple has taken multiple unprecedented steps on iOS to counter DarkSword and Coruna, to include the backported patches, alert notifications to susceptible devices and published threat guidance on Web-based [incidents]," Albrecht notes. He emphasizes that Apple's serious response should encourage organizations to prioritize applying these updates.
The technical impact of DarkSword
Initial discussions of DarkSword were somewhat eclipsed by the public disclosure of the Coruna framework earlier the same month.
Coruna is a highly capable tool utilized by advanced threat actors, with evidence suggesting origins as a military contractor project. Rocky Cole, co-founder of iVerify, explains that the framework could establish command-and-control (C2) over SMS. A minor modification could allow it to harvest contacts and distribute messages containing malicious links, effectively creating self-propagating software. Cole identifies this as one of the most severe endpoint risks observed on the platform, prompting Apple's rapid mitigation.
DarkSword was disclosed two weeks after Coruna. While initially viewed as a secondary issue, Cole points out that its methodology is technically stealthier.
"In some ways it's more pernicious, because it didn't root the device," Cole explains. "Coruna rooted. So presumably, if you were doing root detection, you stood a chance of maybe seeing Coruna. But DarkSword doesn't root, it just inherits the privileges of the processes. It gets just enough privilege escalation to access processors that too have Ring 0 access. So in that regard, I think it's actually much harder to detect."
Cole notes that the high adoption rate of iOS 18 compared to iOS 17 (the latest version affected by Coruna), combined with the public availability of the code on GitHub prior to a backported patch, created a significant exposure window that required immediate remediation.
Prior to the leak, operators of surveillance software were already utilizing DarkSword. Following its publication, Lookout's Albrecht observed several active campaigns. "We’ve observed a handful of campaigns being conducted with the malware, to include [an] email phishing campaign conducted by TA446 which spoofed the Atlantic Council. The other campaigns observed appear to be unattributed criminal campaigns which we have been unable to link to a specific group, as well as multiple instances of apparent testing of the malware for unknown purposes."
Managing ongoing endpoint risk
For enterprise security teams, the timeline of the DarkSword updates highlights ongoing challenges in vulnerability management. Cole notes the gap between the public exposure of the vulnerabilities on GitHub and the availability of a comprehensive patch across operating systems.
He emphasizes that corporate policies force many users to remain on older OS versions, making comprehensive backporting essential for defense. "Let's say you are a business user and your IT department says you have to use what's called an n-minus-one patching cadence, which means you can only use a version that's one version behind, what are you supposed to do in that situation?" Cole asks. "If the patches aren't being backported to all versions, how are you supposed to defend yourself? To me, this just fundamentally challenges the notion that a patching-only strategy is going to be good enough going forward."
Currently, administrators and users who apply the available Apple device updates will mitigate the risks associated with both DarkSword and Coruna. However, the broader trend requires ongoing vigilance. "What I think DarkSword and Coruna together show is that the market for n-day iOS [vulnerability frameworks] is exploding," Cole warns, noting that the cost to acquire these capabilities has fallen rapidly. While these specific sequences are now mitigated, organizations must remain prepared for similar future methodologies.
About the author
Nate Nelson is a journalist and scriptwriter. He writes for "Darknet Diaries" — a popular podcast in cybersecurity, and co-created the former Top 20 tech podcast "Malicious Life." Before his current work, he was a reporter at Threatpost.