Apple patched the DarkSword exploit chain on March 30, 2026, with iOS 18.7.7, a zero-click vulnerability that lets attackers steal personal files and cryptocurrency keys simply by loading a malicious page in Safari.
Why it matters: Imagine scrolling Safari when a script silently accesses your camera roll, message threads, and wallet keys. No tap, no prompt, no warning. That's DarkSword: a fully automated attack that chained six vulnerabilities into a single silent breach. It's the kind of flaw that underscores why those persistent update notifications are critical.
What's new: iOS 18.7.7 build 22H340 closes all six entry points, CVE-2025-31277, CVE-2025-43529, CVE-2026-20700, CVE-2025-14174, CVE-2025-43510, and CVE-2025-43520, and shuts down the JavaScriptCore execution paths attackers used to bypass Apple's memory protections. Apple also released targeted backports in iOS 15.8.7, 16.7.15, and later in iOS 26.3, ensuring older devices remain protected.
What they're saying: The Google Threat Intelligence Group (GTIG) disclosed DarkSword on March 18, 2026, alongside Lookout and iVerify. Their technical analysis maps the attack: a JavaScript-based WebKit/JavaScriptCore remote code execution, a PAC bypass, GPU and sandbox escapes, and finally a kernel escalation. Once inside, DarkSword deployed three malware families, GHOSTKNIFE, GHOSTSABER, and GHOSTBLADE, each engineered to exfiltrate data and enumerate device contents without leaving traces.
The scope: GTIG observed campaigns from November 2025 through March 2026 targeting users in Saudi Arabia, Turkey, Malaysia, and Ukraine. No confirmed U.S. victims were reported at the time of disclosure, but the delivery mechanism, malicious domains served via web ads and phishing links, works anywhere Safari does.
How to install iOS 18.7.7 now:
- Open Settings, tap General, then Software Update.
- Select Download and Install for iOS 18.7.7.
- Follow the on-screen prompts and allow the device to restart. The process typically completes in 15 to 30 minutes.
What to do if you can't update: Ensure the device has at least 20 percent battery, connect to Wi-Fi, and free up storage space. If the update fails, restart the iPhone, reset network settings under Settings, General, Transfer or Reset iPhone, Reset, Reset Network Settings, or use a computer with Finder (macOS Catalina and later) or iTunes (Windows and older macOS) to apply the update manually.
Lockdown Mode: For devices that can't be patched immediately, enable Lockdown Mode in Settings, Privacy and Security, Lockdown Mode. This hardens Safari against web-based exploits and limits background activity, significantly reducing the attack surface available to threats like DarkSword.
Timeline: Apple shipped the initial fix on March 30, 2026, and followed with broader patches in iOS 26.3 and subsequent updates. GTIG published YARA rules, uploaded samples to VirusTotal, and added delivery domains to Google Safe Browsing to help security teams hunt for infections.
Long-term security: Users are encouraged to upgrade to iOS 26 when available. It includes hardened memory protections and stricter app sandboxing, security improvements developed in response to vulnerabilities like the DarkSword chain. These architectural enhancements provide lasting protection beyond individual patches.
FAQ:
How long does iOS 18.7.7 take to install? Most users finish within half an hour, depending on Wi-Fi speed.
Will updating erase data? No. The update preserves all personal content.
What is JavaScriptCore? It's the engine that powers Safari's JavaScript execution, the same component DarkSword exploited.
How do I know if my device was compromised? DarkSword operates silently with no visible symptoms. If you ran iOS 18.4 to 18.7 before updating and visited unfamiliar websites, consider reviewing recent account activity and changing sensitive passwords as a precaution.
How do I enable Lockdown Mode? Toggle the setting in Settings, Privacy and Security, Lockdown Mode as described above.
