iOS zero-click RCE hits 18.4–18.7

A zero-click or drive-by iPhone attack means a phone can be hacked by receiving data or loading a booby-trapped webpage, with no tap required. DarkSword is the latest example researchers say was used against iPhones running iOS 18.4 through 18.7. (cloud.google.com) (support.apple.com) Google Threat Intelligence Group, Lookout, and iVerify disclosed DarkSword on March 18, 2026, describing it as a full exploit chain that could fully compromise vulnerable iPhones. Google said it had seen the tool used since at least November 2025. (cloud.google.com) (lookout.com) (iverify.io) The chain used six vulnerabilities and delivered three follow-on malware families that Google calls GhostBlade, GhostKnife, and GhostSaber. Researchers said those payloads could steal messages, browser data, location history, photos, account details, and cryptocurrency-wallet information. (cloud.google.com) (bleepingcomputer.com) Google said DarkSword was used by multiple clusters, including UNC6748, the Turkish surveillance vendor PARS Defense or its customers, and UNC6353, a suspected Russian espionage group. The observed targets were in Saudi Arabia, Turkey, Malaysia, and Ukraine. (cloud.google.com) (bleepingcomputer.com) The delivery method was not one thing. Google and iVerify tied DarkSword to watering-hole attacks, where attackers seed malicious code on sites a target is likely to visit, while Apple later described the protections as defenses against “web attacks called DarkSword.” (cloud.google.com) (iverify.io) (support.apple.com) That makes the story narrower than a blanket “all iPhones are instantly hackable” claim, but broader than a single espionage operation. TechCrunch reported in March that parts of DarkSword had leaked onto GitHub, making the code easier for additional attackers to reuse against unpatched devices. (techcrunch.com) (bleepingcomputer.com) Apple’s record shows the fixes were shipped in stages, with the company saying the DarkSword-related fixes first arrived in 2025. On April 1, 2026, Apple expanded iOS 18.7.7 to more devices so users staying on iOS 18 could still receive the protections automatically. (support.apple.com) (bleepingcomputer.com) Apple said devices newly eligible for the broadened iOS 18.7.7 rollout included the iPhone 11, iPhone 12, iPhone 13, iPhone 14, and both second- and third-generation iPhone SE models, in addition to older supported phones. Google said users who cannot update should enable Lockdown Mode. (bleepingcomputer.com) (cloud.google.com) The bottom line is dated, not hypothetical: researchers disclosed DarkSword on March 18, Apple widened iOS 18.7.7 protection on April 1, and the exposed window was iOS 18.4 through 18.7. Phones still on those builds remain the ones security teams need to find first. (cloud.google.com) (support.apple.com)