Proofpoint has revealed details of a targeted email campaign in which Russian-linked attackers leveraged the recently revealed DarkSword exploit kit to target iOS devices.
We have high confidence that this activity is the work of a Russian state-sponsored threat group known as TA446, and is also tracked by the broader cybersecurity community under the names Callisto, COLDRIVER, and Star Blizzard (formerly SEABORGIUM). It is believed to be affiliated with Russia’s Federal Security Service (FSB).
This hacker group is known for spear phishing campaigns aimed at collecting credentials from targets of interest. However, attacks launched by this threat actor over the past year have targeted victims’ WhatsApp accounts and leveraged various custom malware families to steal sensitive data.
The latest activity highlighted by Proofpoint and Malfors includes using fake “discussion invitation” emails impersonating the Atlantic Council to facilitate the distribution of the dataminer malware GHOSTBLADE via the DarkSword exploit kit. The email was sent from a compromised sender on March 26, 2026. One of the email recipients was Leonid Volkov, a prominent Russian opposition politician and political director of the Anti-Corruption Foundation.
Automated analysis triggered by Proofpoint’s security tools was allegedly redirected to a benign decoy PDF document. This is likely due to server-side filtering introduced solely to direct iPhone browsers to exploit kits.
“While TA446 has not previously been observed targeting users’ iCloud accounts or Apple devices, the adoption of the leaked DarkSword iOS exploit kit allows this attacker to target iOS devices,” Proofpoint said.
The enterprise security firm also noted a “significant increase” in the volume of emails from threat actors over the past two weeks, adding that these attacks led to the deployment of a known backdoor called MAYBEROBOT via a password-protected ZIP file.
This group’s use of DarkSword is also supported by the fact that a DarkSword loader uploaded to VirusTotal was found to reference “escofiringbijou”.[.]com’ is a second-stage domain attributed to a threat actor.
URL scan[.]io results revealed that a domain controlled by TA446 served the DarkSword exploit kit, which included an initial redirector, exploit loader, remote code execution, and Pointer Authentication Code (PAC) bypass components. However, there is no evidence that Escape from the Sandbox was ever distributed.
TA446 is suspected of reusing the DarkSword exploit kit for credential harvesting and information gathering, and Proofpoint noted that the targets observed in the email campaign were “much broader than usual” and included governments, think tanks, higher education institutions, financial institutions, and corporations.
This raises the possibility that threat actors are leveraging the new capabilities provided by DarkSword as part of opportunistic campaigns against a broader set of targets.
The development comes as Apple began sending lock screen notifications to iPhones and iPads running older versions of iOS and iPadOS to warn users about web-based attacks and encourage them to install updates to block the threats. This unusual move shows that the company is treating this as a widespread threat that requires immediate response from users.
Apple’s warning also coincides with the leak of a new version of DarkSword on GitHub, raising concerns that it could fundamentally change the mobile threat landscape by democratizing access to exploits for nation states.
Justin Albrecht, lead researcher at Lookout, said the leaked plug-and-play version allows even unskilled attackers to deploy sophisticated iOS espionage kits and turn them into commodity malware.
Albrecht added, “Dark Sword refutes the conventional wisdom that iPhones are immune to cyber threats and that advanced mobile attacks are only used for targeted attacks against governments and high-ranking officials.”
Source link
