A Rare Departure From Apple's Established Patch Policy
Apple has taken the unusual step of backporting patches for the DarkSword exploit chain to devices still running iOS 18 — a version that users could upgrade from, but many have chosen or been compelled not to. The fix was pushed on April 1, roughly a week after the company had already patched iOS 26 and devices incapable of running that newer OS.
Historically, Apple has been willing to issue security updates to users whose hardware cannot support its latest operating system. Last year, for example, when researchers exposed a US government-grade exploit kit called Coruna — comprising five separate exploit chains covering 23 vulnerabilities across iOS versions 13 through 17.2.1 — Apple distributed patches to every affected device, including those that could not be updated any further. What Apple had consistently declined to do, however, was patch users who could upgrade but simply hadn't.
That long-standing posture changed with DarkSword, and the catalyst was clear: the exploit chain leaked publicly to GitHub on March 22, as Dark Reading reported, immediately broadening access to a powerful and sophisticated attack tool across the entire cybercriminal landscape.
Why DarkSword Changed the Calculus
DarkSword entered the public conversation roughly two weeks after Coruna was disclosed, and for many observers it was treated as a follow-on story rather than a headline of its own. Rocky Cole, co-founder of iVerify, argues that framing did the threat a disservice.
"In some ways it's more pernicious, because it didn't root the device. Coruna rooted. So presumably, if you were doing root detection, you stood a chance of maybe seeing Coruna. But DarkSword doesn't root, it just inherits the privileges of the processes. It gets just enough privilege escalation to access processors that too have Ring 0 access. So in that regard, I think it's actually much harder to detect."
Cole further noted the scale of the exposure: a significantly greater number of users were running iOS 18 than iOS 17, the latest version affected by Coruna. Combined with the fact that DarkSword appeared on GitHub before any backported patches existed, he described the situation plainly: "To me that's a crisis, and I would have expected faster action."
Active Exploitation Already Observed
DarkSword had already been circulating among surveillance-ware customers before its GitHub leak. Since becoming publicly available, Justin Albrecht, principal researcher at Lookout, reports that the security firm has observed active campaigns leveraging the malware.
According to Albrecht, those campaigns include:
- An email phishing campaign conducted by threat actor TA446 that spoofed the Atlantic Council
- Multiple unattributed criminal campaigns that Lookout has been unable to link to a specific group
- Several instances of apparent testing of the malware for purposes that remain unknown
Albrecht praised Apple's decision to extend the patch broadly, noting that the company has taken what he described as multiple unprecedented steps to counter both DarkSword and Coruna. Those measures include backported patches, alert notifications pushed to susceptible devices, and published threat guidance on web-based attacks. "This speaks to the level of threat that malware like DarkSword poses," he said, "and if Apple is taking this so seriously then users should as well."
Coruna Provides Useful Context
To understand the significance of DarkSword, it helps to revisit Coruna. That exploit kit — evidence suggested it was originally developed by a US military contractor — was described by Cole as the closest thing to a catastrophic endpoint attack Apple has ever faced on iPhone. Among its capabilities was command-and-control over SMS.
"It could do command-and-control (C2) over SMS, so all you have to do is make one modification to take contacts from the contacts list and blast out text messages with links, and you've got yourself wormable malware. So I think that's why they moved so quickly [to patch]."
DarkSword was disclosed publicly two weeks after Coruna. While both tools are now fully patched across all affected Apple devices, the timeline between public exposure and available fix left a meaningful window of risk — particularly for the large population of iOS 18 users.
Corporate Patch Policies Left Businesses Exposed
Cole emphasizes that the gap between vulnerability disclosure and patch availability isn't just an individual user problem. Many enterprise employees operate under formal patch management policies, such as an n-minus-one patching cadence, which requires them to run one version behind the current OS release. For those workers, Apple's initial reluctance to backport the DarkSword fix created a predicament with no clean solution.
"Let's say you are a business user and your IT department says you have to use what's called an n-minus-one patching cadence, which means you can only use a version that's one version behind — what are you supposed to do in that situation?" Cole said. "If the patches aren't being backported to all versions, how are you supposed to defend yourself?"
He argues the episode exposes a deeper structural problem: "To me, this just fundamentally challenges the notion that a patching-only strategy is going to be good enough going forward."
A Growing Market for iOS Exploit Kits
With DarkSword and Coruna now both remediated across Apple's device ecosystem, the immediate risk has passed — but Cole sees the two incidents as a signal of something larger brewing in the threat landscape.
"What I think DarkSword and Coruna together show is that the market for n-day iOS exploit kits is exploding," he warned. "The price has really rapidly fallen, and though DarkSword and Coruna are now fully patched, it does raise the question of how many more of these kits are out there and what's going to be next."
The full patch coverage Apple has now provided means that any user willing and able to update their Apple device is protected from both exploit chains. Whether the company will continue to extend this kind of broad, cross-version coverage in future incidents — or whether DarkSword's leak simply forced a one-time exception — remains an open question for enterprise security teams to watch closely.
Source: Dark Reading