Apple Takes the Rare Step of Backporting Patches to iOS 18 Because DarkSword Is That Serious

When Apple Breaks Its Own Rules, You Know It Is Bad

Apple does not do favours for people who skip software updates. The company's general philosophy has always been simple: update or accept the consequences. So when Cupertino announces it will push out rare backported security patches specifically for iOS 18, you know something genuinely alarming is afoot.

That something is DarkSword, an exploit kit that has been quietly compromising iPhones since at least November 2025 and has now gone alarmingly public. Apple has confirmed to WIRED that it will deliver iOS 18-specific fixes for the millions of iPhone owners still running that version, rather than forcing them onto iOS 26. For Apple, this is the security equivalent of a house call.

What Exactly Is DarkSword?

Discovered and analysed by Google's Threat Intelligence Group (GTIG), mobile security firm iVerify, and Lookout, DarkSword is a sophisticated exploit chain that targets iPhones running iOS 18.4 through 18.7. It exploits six separate vulnerabilities, three of which were zero-days, meaning Apple had no knowledge of them before they were being actively used in the wild.

The attack method is what security researchers call a "drive-by" exploit. Visit a compromised website on a vulnerable iPhone, and DarkSword can silently take over your device. No dodgy app installs. No suspicious permission prompts. Just a webpage doing the dirty work while you browse obliviously.

Once it gets in, the exploit chain deploys three distinct malware families: GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER. Yes, somebody on the naming committee was clearly having a good time, but the threat itself is anything but amusing.

The Scale of the Problem

Here is where things get properly uncomfortable. As of February 2026, roughly a quarter of all iPhone users were still running iOS 18. Apple's own App Store data from 12 February showed 20% among recent devices, with broader estimates including older hardware pushing that figure to around 24-25%. Depending on whose maths you trust, that translates to somewhere between 220 million and 270 million affected iPhones.

To put that in perspective, that is roughly the population of Indonesia sitting on a vulnerable operating system.

Confirmed targets so far include users in Malaysia, Saudi Arabia, Turkey, and Ukraine, but the situation escalated dramatically when the DarkSword code was leaked onto GitHub around 23 March 2026. What was once a tool for targeted surveillance is now effectively open-source weaponry.

There are also unverified reports from a security researcher that a new active DarkSword domain has been identified targeting US-based users, though this claim has not been independently confirmed beyond a single source.

From Spies to Criminals: DarkSword's Journey

Google's threat intelligence team has tracked a depressingly familiar pattern with DarkSword. It started life as a commercial surveillance tool, the sort of thing sold to governments who pinky-promise they will only use it against genuine threats. From there, it migrated to Russian espionage group UNC6353, before trickling down to profit-focused cybercriminals.

The progression from state-sponsored tool to criminal commodity is becoming a well-worn path in the security world. Security firms Malfors and Proofpoint have already flagged that TA446 (also known as Star Blizzard or COLDRIVER), a hacker group linked to the Kremlin's FSB, began sending phishing emails weaponised with DarkSword from 26 March onwards. These emails specifically spoofed Atlantic Council invitations and targeted government officials, think tanks, universities, financial institutions, and legal entities.

Patrick Wardle, a former NSA hacker and CEO of Apple-focused security firm DoubleYou, has been among those sounding the alarm. When someone with his background says the situation is serious, it is worth paying attention.

Why Apple Is Breaking Precedent

Apple's decision to backport patches to iOS 18 is genuinely unusual. The company has done this before, notably when the Coruna exploit kit was discovered and Apple pushed security fixes back to iOS 17, but it remains the exception rather than the rule.

The Coruna precedent is worth examining because the parallels are striking. That toolkit was reportedly developed by L3Harris's Trenchant division for the US government before it spread to Russian espionage groups and eventually Chinese cybercriminals. It affected at least 42,000 devices, which was considered massive for iOS at the time. DarkSword threatens to dwarf those numbers entirely.

The core issue is that Apple cannot simply tell a quarter of its user base to upgrade to iOS 26. Many users have deliberately stayed on iOS 18, and not because they are lazy or technophobic.

The iOS 26 Problem

iOS 26, released in September 2025 with its controversial "Liquid Glass" redesign, has seen historically poor adoption. As of January 2026, only 18.1% of iPhones had made the jump, compared to 77.1% for iOS 18 at the same stage in its lifecycle. That is a staggering drop-off.

The reasons are multiple. The Liquid Glass interface overhaul drew significant criticism from users who found it a step backwards in usability. In the UK specifically, iOS 26.4 introduced mandatory age verification features that prompted further resistance from users unwilling to hand over additional personal data.

Telling hundreds of millions of people to adopt an operating system they have actively rejected is not a viable security strategy. Hence the backported patches.

What You Should Do Right Now

If you are running iOS 18.4 through 18.7, the advice is straightforward:

• Install the backported patches as soon as they arrive. Apple has confirmed they are coming. Do not dawdle.
• Be exceptionally cautious about links. DarkSword works through compromised websites, and the FSB-linked phishing campaign means malicious links are actively being distributed via email.
• Check your iOS version. Go to Settings, then General, then About. If you are in the affected range, stay alert for the update notification.
• Consider whether iOS 26 might actually be worth the jump. Yes, Liquid Glass takes some getting used to. But running an operating system that is actively receiving full security updates is generally preferable to relying on backported emergency fixes.

The Bigger Picture

DarkSword highlights a growing tension in the smartphone security model. Apple has long maintained that the best protection is simply running the latest software. But when adoption rates crater because users genuinely dislike a new release, that model breaks down spectacularly.

The company deserves credit for choosing pragmatism over pride here. Backporting patches to iOS 18 is an implicit admission that iOS 26 adoption has not gone to plan, and Apple does not make those admissions lightly.

Rocky Cole, co-founder of iVerify, has been vocal about the need for this kind of flexibility. When hundreds of millions of devices are at risk, the "just update" mantra rings hollow.

For now, the immediate threat is clear and the fix is on its way. But the deeper question remains: what happens the next time a critical exploit surfaces and a significant chunk of the user base is sitting on an older OS they refuse to leave? Apple may need to rethink its approach to long-term support, because DarkSword will not be the last toolkit to exploit this gap.

Read the original article at source.