Russian APT Star Blizzard Adopts DarkSword iOS Exploit Kit

Summary

Star Blizzard, a Russian state-sponsored APT linked to the FSB, has integrated the DarkSword iOS exploit kit into its arsenal, marking the group's first known targeting of iCloud and Apple devices. The campaign, observed on March 26, used Atlantic Council-themed phishing emails to target government, financial, higher education, and legal entities. Proofpoint attributes the shift in tradecraft to credential harvesting and intelligence collection following a GitHub leak of the DarkSword toolkit.

Full text

A Russian state-sponsored hacking group tracked as Star Blizzard has adopted the DarkSword iOS exploit kit in an ongoing campaign, Proofpoint reports. On Friday, investigation platform Malfors warned that a Russian threat actor has been using Atlantic Council lures in an email campaign delivering the DarkSword-linked GhostBlade malware. Shortly after, Proofpoint attributed the campaign to Star Blizzard, an APT associated with the Russian intelligence service FSB and which is also tracked as Callisto, ColdRiver, SeaBorgium, and TA446. According to the cybersecurity firm, the messages were observed on March 26 and originated from multiple compromised sender addresses. Over the past two weeks, Proofpoint says, Star Blizzard has significantly increased the volume of malicious emails compared to its normal operational tempo. The March 26 activity represented a similar spike in volume and marked another shift in attack tradecraft: the emails contained links instead of malicious attachments.Advertisement. Scroll to continue reading. “Proofpoint automated analysis was redirected to a benign decoy PDF, likely because of server-side filtering to only redirect iPhone browsers to the exploit kit,” the cybersecurity firm says. It also notes that it has found evidence that Star Blizzard has added the DarkSword iOS exploit kit to its arsenal, pointing out that this is the first time the APT has been seen targeting iCloud accounts and Apple devices. The evidence, Proofpoint notes, includes a DarkSword loader uploaded to VirusTotal that references a second-stage domain associated with the hacking group, and a submission on @URLScan showing the use of the exploit. The known Star Blizzard domain was “serving the DarkSword exploit kit, including the initial redirector, exploit loader, RCE, and PAC bypass components. The sandbox escapes were not observed,” Proofpoint says. The cybersecurity firm has not observed the exploit kit’s delivery, but believes that the Russian APT has adopted it for credential harvesting and intelligence collection after someone leaked it on GitHub. The Atlantic Council-themed campaign has targeted financial, government, higher education, and legal entities, as well as think tanks, “indicating that this new capability led TA446 to attempt to use DarkSword opportunistically against a broader target set,” Proofpoint notes. Related: Coruna iOS Exploit Kit Likely an Update to Operation Triangulation Related: Russian APT Exploits Zimbra Vulnerability Against Ukraine Related: Ex-US Defense Contractor Executive Jailed for Selling Exploits to Russia Related: Russia-Linked APT Star Blizzard Uses ClickFix to Deploy New LostKeys Malware, Google Warns Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire OpenAI Launches Bug Bounty Program for Abuse and Safety RisksTP-Link Patches High-Severity Router VulnerabilitiesCoruna iOS Exploit Kit Likely an Update to Operation TriangulationHightower Holding Data Breach Impacts 130,000BIND Updates Patch High-Severity VulnerabilitiesChinese Hackers Caught Deep Within Telecom Backbone InfrastructureCisco Patches Multiple Vulnerabilities in IOS SoftwareOnit Security Raises $11 Million for Exposure Management Platform Latest News European Commission Reports Cyber Intrusion and Data TheftHacked Hospitals, Hidden Spyware: Iran Conflict Shows How Digital Fight Is Ingrained in WarfareTelnyx Targeted in Growing TeamPCP Supply Chain AttackExploitation of Fresh Citrix NetScaler Vulnerability BeginsFBI Confirms Kash Patel Email Hack as US Offers $10M Reward for HackersF5 BIG-IP DoS Flaw Upgraded to Critical RCE, Now Exploited in the WildCloudflare-Themed ClickFix Attack Drops Infiniti Stealer on MacsPro-Iranian Hacking Group Claims Credit for Hack of FBI Director Kash Patel’s Personal Account Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Webinar: Why Automated Pentesting Alone Is Not Enough April 7, 2026 Join our live diagnostic session to expose hidden coverage gaps and shift from flawed tool-level evaluations to a comprehensive, program-level validation discipline. Register People on the MoveModerna has promoted Farzan Karimi to Deputy Chief Information Security Officer.Brian Goldfarb has been appointed Chief Marketing Officer at SentinelOne.Token has appointed Katy Nelson as Chief Revenue Officer.More People On The MoveExpert Insights Why Agentic AI Systems Need Better Governance – Lessons from OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) The Human IOC: Why Security Professionals Struggle with Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How to 10x Your Vulnerability Management Program in the Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) SIM Swaps Expose a Critical Flaw in Identity Security SIM swap attacks exploit misplaced trust in phone numbers and human processes to bypass authentication controls and seize high-value accounts. (Torsten George) Four Risks Boards Cannot Treat as Background Noise The goal isn’t about preventing every attack but about keeping the business running when attacks succeed. (Steve Durbin) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• malware — GhostBlade
• malware — DarkSword