Ethical Hacking News
TA446 has deployed the DarkSword iOS exploit kit in a targeted spear-phishing campaign, marking a significant escalation in its tactics and expanding its reach to Apple devices. As the threat landscape continues to evolve, it is essential for organizations and individuals to take mobile security seriously and stay vigilant against emerging threats.
The Russian state-sponsored threat group TA446 has been spotted using the DarkSword iOS exploit kit in a spear-phishing campaign. The campaign targeted specific recipients, including prominent Russian opposition politician Leonid Volkov, and used fake "discussion invitation" emails spoofing the Atlantic Council to deliver GHOSTBLADE malware. The use of DarkSword marked a significant departure from TA446's previous tactics, expanding their reach to target Apple devices for the first time. The DarkSword exploit kit has significant implications for mobile security, representing a major leap forward in iOS exploitation capabilities. Apple is urging users to install the latest update to block the threat and has started sending Lock Screen notifications to alert users of web-based attacks.
In a recent development that has sent shockwaves through the cybersecurity community, threat actors affiliated with Russia's Federal Security Service (FSB) have been spotted leveraging the DarkSword iOS exploit kit to target iOS devices in a spear-phishing campaign. This marked a significant escalation in the tactics, techniques, and procedures (TTPs) employed by TA446, a Russian state-sponsored threat group that has been tracked under various monikers, including Callisto, COLDRIVER, and Star Blizzard.
According to Proofpoint, a leading enterprise security firm, the spear-phishing campaign involved the use of fake "discussion invitation" emails spoofing the Atlantic Council to facilitate the delivery of GHOSTBLADE, a dataminer malware. The emails were sent from compromised senders on March 26, 2026, and were targeted at specific recipients, including prominent Russian opposition politician Leonid Volkov.
The campaign marked a significant departure from TA446's previous TTPs, which focused on harvesting credentials from targets of interest through more traditional spear-phishing tactics. However, the use of DarkSword, a recently disclosed iOS exploit kit, allowed the threat actors to expand their reach and target Apple devices for the first time.
"We have not previously observed TA446 target users' iCloud accounts or Apple devices, but the adoption of the leaked DarkSword iOS exploit kit has now enabled the actor to target iOS devices," said Proofpoint. "This is a significant development, as it highlights the growing threat landscape for mobile security and demonstrates the evolving tactics employed by nation-state actors."
The use of DarkSword has been corroborated by various sources, including a DarkSword loader uploaded to VirusTotal, which referenced "escofiringbijou[.]com," a second-stage domain attributed to TA446. Furthermore, a urlscan[.]io result revealed that the TA446-controlled domain had served the DarkSword exploit kit, including the initial redirector, exploit loader, remote code execution, and Pointer Authentication Code (PAC) bypass components.
However, it is worth noting that there is currently no evidence of sandbox escapes delivered through this campaign. Nevertheless, the use of DarkSword has significant implications for mobile security, as it represents a major leap forward in the capabilities of iOS exploitation.
The leaked version of DarkSword on GitHub has also raised concerns among cybersecurity experts, who warn that it could democratize access to nation-state exploits and fundamentally shift the mobile threat landscape. "DarkSword refutes the common belief that iPhones are immune to cyber threats, and that advanced mobile attacks are only used in targeted efforts against governments and high-ranking officials," said Justin Albrecht, principal researcher at Lookout.
Apple has taken notice of the growing threat landscape and has begun sending Lock Screen notifications to iPhones and iPads running older versions of iOS and iPadOS to alert users of web-based attacks. The company is urging users to install the latest update to block the threat.
In light of this development, it is essential for organizations and individuals to take mobile security seriously and stay vigilant against spear-phishing campaigns. As the threat landscape continues to evolve, it is crucial to remain informed and adapt to emerging threats to protect against advanced mobile attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/TA446-Deploys-DarkSword-iOS-Exploit-Kit-in-Targeted-Spear-Phishing-Campaign-A-Growing-Concern-for-Mobile-Security-ehn.shtml
https://thehackernews.com/2026/03/ta446-deploys-leaked-darksword-ios.html
https://cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain
https://cointelegraph.com/news/google-ghostblade-crypto-stealing-malware
https://tradernews.org/2026/03/21/google-intel-threat-tags-cryptography-stealing-ghostblade-malware/
https://securityaffairs.com/155388/apt/uk-us-expose-russia-callisto-group.html
https://www.globalsecurity.org/intell/library/news/2024/intell-241004-rferl01.htm
https://cloud.google.com/blog/topics/threat-intelligence/coldriver-steal-documents-western-targets-ngos
https://www.uvcyber.com/resources/reports/threat-advisory-coldriver
https://attack.mitre.org/groups/G1033/
https://www.securityweek.com/russian-apt-switches-to-new-backdoor-after-malware-exposed-by-researchers/
https://www.f5.com/labs/articles/weekly-threat-bulletin-march-25th-2026
https://www.socinvestigation.com/comprehensive-list-of-apt-threat-groups-motives-and-attack-methods/
Published: Sat Mar 28 04:52:54 2026 by llama3.2 3B Q4_K_M
