After some delay, Apple has patched the vulnerabilities associated with the DarkSword exploit chain for all affected customers, even those who aren’t updated to iOS 26 — a boon for organizations trying to get users updated to a new version all at once, and for those with patch management policies that preclude such updates.
When sufficiently serious vulnerabilities are unearthed in Apple devices, Apple is generous enough to offer patches both to users running its latest operating system (OS), as well as users whose devices are too old to run that new OS, as applicable. Last year, for instance, when researchers uncovered a US government-grade exploit kit called Coruna — with five different exploit chains spanning 23 vulnerabilities in iOS versions 13 to 17.2.1 — Apple went back and distributed a patch to all those affected, including those whose phones were un-updatable.
Typically, though, there has been one group left out of the patch party: customers whose devices are capable of upgrading to the newest OS, but who either choose or are forced not to. For example, many iPhone users have resisted upgrading from iOS 18 to iOS 26 (which, despite the numbers, happen to be consecutive versions), because of the user experience (UX) changes. Others have work phones that are mandated to be one update behind the patch cycle. This collective group has been left out in the cold both when Apple initially fixed the DarkSword exploit chain in iOS 26 last year, and when it pushed a fix to pre-iOS 18 devices that couldn’t update to iOS 26 on March 24. The iOS 18 aficionados could choose to upgrade, or stick with what they prefer and sacrifice their security.
That stance lasted only about a week, though. DarkSword leaked to GitHub on March 22, as Dark Reading reported, and with the whole cybercriminal world privy to such a powerful hacking tool, Apple relented, extending the fix to those stubborn or unlucky iOS 18 users on April 1.
Justin Albrecht, principal researcher at Lookout, praises the move. In fact, he adds, “Apple has taken multiple unprecedented steps on iOS to counter DarkSword and Coruna, to include the backported patches, alert notifications to susceptible devices and published threat guidance on Web-based attacks. This speaks to the level of threat that malware like DarkSword poses, and if Apple is taking this so seriously then users should as well.”
DarkSword’s Severity Forced Apple’s Hand
In some ways, the severity of the DarkSword problem was overshadowed by the Coruna kit having been publicly disclosed earlier the same month.
Coruna is devastating, utilized by dangerous threat actors, and evidence suggested that it had originally been developed by a US military contractor. “It could do command-and-control (C2) over SMS, so all you have to do is make one modification to take contacts from the contacts list and blast out text messages with links, and you’ve got yourself wormable malware,” explains iVerify co-founder Rocky Cole. “So I think that’s why they moved so quickly [to patch]. It was the closest thing to a catastrophic endpoint attack Apple has really ever seen on an iPhone.”
DarkSword was revealed to the public two weeks after Coruna, and by that point it was largely reported as an extension of the Coruna story. In his view, though, DarkSword never should have been second fiddle.
“In some ways it’s more pernicious, because it didn’t root the device,” Cole explains. “Coruna rooted. So presumably, if you were doing root detection, you stood a chance of maybe seeing Coruna. But DarkSword doesn’t root, it just inherits the privileges of the processes. It gets just enough privilege escalation to access processors that too have Ring 0 access. So in that regard, I think it’s actually much harder to detect.”
He adds: “The fact that a significantly greater number of people were using iOS 18 than iOS 17 [the latest version impacted by Coruna], combined with the fact that it was published on GitHub while there weren’t backported patches available — to me that’s a crisis, and I would have expected faster action.”
DarkSword was already being passed around by surveillance-ware customers, but especially since it leaked online, Lookout’s Albrecht reports, “We’ve observed a handful of campaigns being conducted with the malware, to include [an] email phishing campaign conducted by TA446 which spoofed the Atlantic Council. The other campaigns observed appear to be unattributed criminal campaigns which we have been unable to link to a specific group, as well as multiple instances of apparent testing of the malware for unknown purposes.”
The Cyber Risk Story Is Over (For Now)
Cole views Apple’s handling of the DarkSword updates as a risk for enterprises. “There was a pretty significant gap there between when these vulnerabilities were exposed to the open Internet and put on GitHub, and when there was a patch issued,” he says.
He’s also quick to point out that, while many iPhone users choose not to upgrade their OS due to personal preferences, a lot of people have to stay behind because of corporate policies. For them, Apple’s resistance to patching all devices everywhere is an inescapable burden.
“Let’s say you are a business user and your IT department says you have to use what’s called an n-minus-one patching cadence, which means you can only use a version that’s one version behind — what are you supposed to do in that situation?” he says. “If the patches aren’t being backported to all versions, how are you supposed to defend yourself? To me, this just fundamentally challenges the notion that a patching-only strategy is going to be good enough going forward,” he argues.
At this point, all users willing to and capable of updating their Apple devices will be clear of both DarkSword and Coruna, but the next thing is surely percolating out there, somewhere. “What I think Dark Sword and Coruna together show is that the market for n-day iOS exploit kits is exploding,” Cole warns. “The price has really rapidly fallen, and though DarkSword and Coruna are now fully patched, it does raise the question of how many more of these kits are out there and what’s going to be next.”
