A sophisticated new iPhone exploit kit dubbed “DarkSword” has been detected targeting users in Malaysia, marking a significant escalation in the spread of elite hacking tools to broader regions. Discovered by researchers from Google’s Threat Intelligence Group, alongside cybersecurity firms Lookout and iVerify, DarkSword is a “full-chain” exploit that can silently compromise an iPhone with zero user interaction. Victims are infected simply by visiting a compromised but seemingly legitimate website—a technique known as a “watering hole” attack. Once the site is loaded in the Safari browser, the spyware leverages a sequence of six vulnerabilities to break through Apple’s security layers, escalate its own permissions to the “kernel” level, and begin exfiltrating sensitive personal data. In Malaysia, the deployment of this tool has been linked to commercial surveillance vendors, illustrating how advanced cyber-espionage capabilities, once exclusive to global intelligence agencies, are now being sold and used by private entities and state-backed actors alike.
The technical precision of DarkSword is particularly alarming due to its “fileless” and “hit-and-run” nature. Unlike traditional malware that leaves permanent files on a device, DarkSword operates entirely within the phone’s temporary memory, hijacking legitimate system processes to harvest information. Within seconds of infection, the spyware can strip a device of its text messages, call history, photos, location data, and Wi-Fi passwords. Perhaps most concerning for modern users is its specific focus on cryptocurrency wallets, suggesting a dual motive of political espionage and financial theft. After the data is successfully sent to the attacker’s command server, the spyware automatically wipes its own traces and exits the system, leaving the victim completely unaware that their privacy has been breached. While the initial wave of attacks targeted Ukrainian government and news sites, the discovery of similar campaigns in Malaysia, Turkey, and Saudi Arabia proves that the threat has rapidly expanded into a global security crisis.
The Malaysian Communications and Multimedia Commission (MCMC) and international security experts have issued an urgent advisory for all Apple users to update their devices immediately. The exploit specifically targets iPhones running older versions of iOS 18 (from 18.4 through 18.7), which researchers estimate could still be in use on over 220 million devices worldwide. Apple has already released patches for these vulnerabilities in its latest software iterations, including iOS 26.3.1 and 18.7.6. For high-risk individuals such as journalists or government officials who cannot immediately update, experts recommend enabling “Lockdown Mode,” a specialized security setting that has proven effective at blocking the DarkSword chain. As the code for this exploit has recently been leaked on public platforms like GitHub, the barrier for entry for low-level cybercriminals has dropped significantly, making timely software updates the most critical defense against this invisible digital predator.
