TA446 Deploys DarkSword iOS Exploit Kit in Targeted Spear-Phishing Campaign

Summary

Proofpoint disclosed a targeted email campaign attributed to TA446 (Callisto/COLDRIVER), a Russian state-sponsored APT linked to the FSB, leveraging the DarkSword iOS exploit kit to target iOS devices with GHOSTBLADE malware. The campaign used spoofed Atlantic Council emails and targeted government, think tanks, higher education, and legal entities, with one recipient being Russian opposition politician Leonid Volkov. The wider targeting and leaked DarkSword code on GitHub raise concerns that nation-state iOS exploits could become commodity malware accessible to less-skilled threat actors.

Full text

TA446 Deploys DarkSword iOS Exploit Kit in Targeted Spear-Phishing Campaign Ravie LakshmananMar 28, 2026Mobile Security / Email Security Proofpoint has disclosed details of a targeted email campaign in which threat actors with ties to Russia are leveraging the recently disclosed DarkSword exploit kit to target iOS devices. The activity has been attributed with high confidence to the Russian state-sponsored threat group known as TA446, which is also tracked by the broader cybersecurity community under the monikers Callisto, COLDRIVER, and Star Blizzard (formerly SEABORGIUM). It's assessed to be affiliated with Russia's Federal Security Service (FSB). The hacking group is known for spear-phishing campaigns aimed at harvesting credentials from targets of interest. However, attacks mounted by the threat actor over the past year have targeted victims' WhatsApp accounts, as well as leveraged various custom malware families to steal sensitive data. The latest activity, highlighted by Proofpoint and Malfors, involves using fake "discussion invitation" emails spoofing the Atlantic Council to facilitate the delivery of GHOSTBLADE, a dataminer malware, via the DarkSword exploit kit. The emails were sent from compromised senders on March 26, 2026. One of the email recipients was Leonid Volkov, a prominent Russian opposition politician and the political director of the Anti-Corruption Foundation. An automated analysis triggered by Proofpoint's security tools is said to have redirected to a benign decoy PDF document, likely because of server-side filtering put in place to only lead iPhone browsers to the exploit kit. "We have not previously observed TA446 target users' iCloud accounts or Apple devices, but the adoption of the leaked DarkSword iOS exploit kit has now enabled the actor to target iOS devices," Proofpoint said. The enterprise security firm also noted that the volume of emails from the threat actor has been "significantly higher" in the last two weeks, adding that these attacks lead to the deployment of a known backdoor referred to as MAYBEROBOT via password-protected ZIP files. The group's use of DarkSword has also been corroborated by the fact that a DarkSword loader uploaded to VirusTotal has been found to reference "escofiringbijou[.]com," a second-stage domain attributed to the threat actor. A urlscan[.]io result has revealed that the TA446-controlled domain has served the DarkSword exploit kit, including the initial redirector, exploit loader, remote code execution, and Pointer Authentication Code (PAC) bypass components. However, there is no evidence that sandbox escapes were delivered. It's suspected that the TA446 is repurposing the DarkSword exploit kit for credential harvesting and intelligence collection, with Proofpoint noting that the targeting observed in the email campaign was "much wider than usual" and that it included government, think tank, higher education, financial, and legal entities. This, in turn, has raised the possibility that the threat actor is leveraging the new capability afforded by DarkSword as part of an opportunistic campaign against a broader target set. The development comes as Apple has begun sending Lock Screen notifications to iPhones and iPads running older versions of iOS and iPadOS to alert users of web-based attacks and urging them to install the update to block the threat. The unusual step signals that the company is treating it as a broad enough threat requiring users' immediate attention. Apple's warning also coincides with the leak of a new version of DarkSword on GitHub, raising concerns that they could democratize access to nation-state exploits, fundamentally shifting the mobile threat landscape. Justin Albrecht, principal researcher at Lookout, said the leaked, plug-and-play version allows even unskilled threat actors to deploy the advanced iOS espionage kit, turning it into commodity malware. "DarkSword refutes the common belief that iPhones are immune to cyber threats, and that advanced mobile attacks are only used in targeted efforts against governments and high-ranking officials," Albrecht added. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  Apple, cybersecurity, email security, exploit kit, iOS, Malware, mobile security, Russia, Spear Phishing Trending News FortiGate Devices Exploited to Breach Networks and Steal Service Account Credentials Microsoft Patches 84 Flaws in March Patch Tuesday, Including Two Public Zero-Days Critical n8n Flaws Allow Remote Code Execution and Exposure of Stored Credentials Six Android Malware Families Target Pix Payments, Banking Apps, and Crypto Wallets Apple Issues Security Updates for Older iOS Devices Targeted by Coruna WebKit Exploit ThreatsDay Bulletin: OAuth Trap, EDR Killer, Signal Phishing, Zombie ZIP, AI Platform Hack and More Veeam Patches 7 Critical Backup and Replication Flaws Allowing Remote Code Execution Nine CrackArmor Flaws in Linux AppArmor Enable Root Escalation, Bypass Container Isolation Google Fixes Two Chrome Zero-Days Exploited in the Wild Affecting Skia and V8 Chinese Hackers Target Southeast Asian Militaries with AppleChris and MemFun Malware Meta to Shut Down Instagram End-to-End Encrypted Chat Support Starting May 2026 Android 17 Blocks Non-Accessibility Apps from Accessibility API to Prevent Malware Abuse OpenClaw AI Agent Flaws Could Enable Prompt Injection and Data Exfiltration ⚡ Weekly Recap: Chrome 0-Days, Router Botnets, AWS Breach, Rogue AI Agents and More CISA Flags Actively Exploited Wing FTP Vulnerability Leaking Server Paths Apple Fixes WebKit Vulnerability Enabling Same-Origin Policy Bypass on iOS and macOS Popular Resources Webinar - Identify Key Attack Paths to Your Crown Jewels with CSMA Guide - Discover How to Validate AI Risks With Adversarial Testing Get the 2026 ASV Report to Benchmark Top Validation Tools Fix Security Noise by Focusing Only on Validated Exposures

Indicators of Compromise

• domain — escofiringbijou.com
• malware — DarkSword
• malware — GHOSTBLADE
• malware — MAYBEROBOT
• mitre_attack — T1598.003