Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

Russia-Linked APT TA446 Exploits DarkSword iOS Vulnerability to Phish iPhone Users




A Russia-linked APT group has leveraged the DarkSword iOS vulnerability to target iPhone users through phishing attacks. The attack highlights the growing threat from state-sponsored actors who are increasingly targeting Western countries and organizations. By using the leaked DarkSword exploit kit, TA446 can bypass security measures and gain access to sensitive information.

In this article, we'll delve into the details of the attack, exploring how TA446 exploited the DarkSword vulnerability and the tactics used by the attackers. We'll also discuss the implications of this attack and provide guidance on how organizations can protect themselves against similar threats in the future.



  • TA446 (SEABORGIUM) APT group leveraged the DarkSword exploit kit to compromise iPhone users, highlighting the growing threat from state-sponsored actors targeting Western countries and organizations.
  • TA446's campaigns have expanded to include former intelligence officials, experts in Russian affairs, and Russian citizens abroad, marking a significant escalation in their capabilities and threats.
  • The DarkSword exploit kit allows attackers to execute Remote Code Execution (RCE) attacks on iOS devices, bypassing security measures and gaining access to sensitive information.
  • The phishing wave was observed in March 2026, using malicious emails sent via compromised email accounts or phishing campaigns to trick victims into clicking on links that delivered the DarkSword exploit kit.
  • The attack demonstrates the sophistication and adaptability of state-sponsored actors, who are continually evolving their tactics to evade security measures.



    • In a recent phishing wave, Russia-linked Advanced Persistent Threat (APT) group TA446 has leveraged the DarkSword exploit kit to compromise iPhone users. This attack highlights the growing threat from state-sponsored actors who are increasingly targeting Western countries and organizations.

    TA446, also known as SEABORGIUM, ColdRiver, Callisto, and Star Blizzard, has been active since at least 2017. The group's campaigns have primarily focused on defense and intelligence consulting companies, non-governmental organizations (NGOs), and intergovernmental organizations (IGOs). However, in recent months, the group has expanded its targeting to include former intelligence officials, experts in Russian affairs, and Russian citizens abroad.

    The DarkSword exploit kit, which was recently published on GitHub, has been used by TA446 to target iPhone users. The kit is a sophisticated tool that allows attackers to execute Remote Code Execution (RCE) attacks on iOS devices. By using the DarkSword exploit kit, TA446 can bypass security measures and gain access to sensitive information.

    The phishing wave was observed in March 2026, when Proofpoint researchers noticed an increase in emails attributed to TA446. The emails were spoofing the Atlantic Council, a think tank based in Washington D.C., and contained links that, when clicked, delivered the DarkSword exploit kit to the recipient's iPhone.

    The attack relied on malicious emails sent via compromised email accounts or phishing campaigns. The emails targeted individuals who had previously interacted with TA446's social network reconnaissance activity. The attackers used social engineering tactics to trick victims into clicking on the links, which delivered the DarkSword exploit kit.

    The use of the leaked DarkSword exploit kit marks a significant shift in TA446's tactics. Previously, the group had focused on targeting defense and intelligence consulting companies, NGOs, and IGOs. However, with the adoption of the DarkSword exploit kit, TA446 can now target a broader range of organizations and individuals.

    In addition to phishing emails, the attackers also used fake Atlantic Council "discussion invitation" emails to deliver the DarkSword RCE (GHOSTBLADE) via links. The researchers noted that this was a new tactic for TA446, as previously observed campaigns did not overlap with iOS attacks.

    The DarkSword exploit kit has been linked to several other APT groups in recent months. In February 2026, Malfors researchers observed a targeted campaign delivering the GHOSTBLADE backdoor via password-protected ZIP files. The attack was attributed to Russia's FSB threat actor.

    TA446's activity does not overlap with UNC6353, confirming it as a distinct threat actor. However, the group's adoption of the DarkSword exploit kit marks a significant escalation in their capabilities and threats.

    In conclusion, the use of the DarkSword exploit kit by TA446 highlights the growing threat from state-sponsored actors who are increasingly targeting Western countries and organizations. The attack demonstrates the sophistication and adaptability of these groups, who are continually evolving their tactics to evade security measures.

    As organizations and individuals become increasingly reliant on mobile devices, it is essential that they take proactive steps to protect themselves against targeted attacks like this. This includes implementing robust security measures, such as multi-factor authentication, regular software updates, and employee education programs.

    Furthermore, the use of DarkSword exploit kit by TA446 underscores the importance of staying informed about emerging threats and vulnerabilities. Organizations must remain vigilant and responsive to new threats, ensuring that their security measures are up-to-date and effective in preventing attacks like this.

    In the coming months, it is likely that we will see more sophisticated attacks from state-sponsored actors who have access to advanced exploit kits like DarkSword. As such, it is essential that organizations prioritize security awareness and invest in robust security measures to protect themselves against these emerging threats.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/Russia-Linked-APT-TA446-Exploits-DarkSword-iOS-Vulnerability-to-Phish-iPhone-Users-ehn.shtml

  • https://securityaffairs.com/190139/apt/russia-linked-apt-ta446-uses-darksword-exploit-to-target-iphone-users-in-phishing-wave.html

  • https://thehackernews.com/2026/03/ta446-deploys-leaked-darksword-ios.html

  • https://industrialcyber.co/threat-landscape/seaborgium-apt-group-targets-defense-ngos-think-tanks-higher-education-in-nato-countries-especially-in-us-uk/

  • https://securityaffairs.com/155388/apt/uk-us-expose-russia-callisto-group.html

  • https://www.globalsecurity.org/intell/library/news/2024/intell-241004-rferl01.htm

  • https://attack.mitre.org/groups/G1033/

  • https://www.securityweek.com/russian-apt-switches-to-new-backdoor-after-malware-exposed-by-researchers/

  • https://www.socinvestigation.com/comprehensive-list-of-apt-threat-groups-motives-and-attack-methods/

  • https://thehackernews.com/search/label/APT+hacking+group

  • https://thehackernews.com/2026/03/darksword-ios-exploit-kit-uses-6-flaws.html

  • https://cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain

  • https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-110a

  • https://greydynamics.com/the-five-bears-russias-offensive-cyber-capabilities/


    • Published: Mon Mar 30 03:43:27 2026 by llama3.2 3B Q4_K_M


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us