Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

TA446 Deploys Leaked DarkSword iOS Exploit Kit in Targeted Spear-Phishing Campaign


TA446 Deploys Leaked DarkSword iOS Exploit Kit in Targeted Spear-Phishing Campaign, posing a significant risk to mobile device security. The use of DarkSword marks a departure from the group's previous tactics and highlights the need for enterprises to stay vigilant in the face of evolving threat landscapes.

  • TA446, a Russian state-sponsored threat group, used a leaked DarkSword exploit kit in a spear-phishing campaign targeting iOS devices.
  • The use of DarkSword marks a significant escalation in the tactics, techniques, and procedures (TTPs) of TA446.
  • A leaked version of DarkSword is available on GitHub, raising concerns about democratization of access to nation-state exploits.
  • TA446 delivered GHOSTBLADE, a dataminer malware, via the DarkSword exploit kit in a spear-phishing campaign targeting prominent Russian opposition politician Leonid Volkov.
  • The campaign is notable for TA446's departure from previous TTPs, which focused on WhatsApp accounts and custom malware families.
  • TA446 has significantly increased email activity, deploying a known backdoor referred to as MAYBEROBOT via password-protected ZIP files.
  • The use of DarkSword in this campaign has been corroborated by VirusTotal and urlscan.io results, referencing a second-stage domain attributed to TA446.
  • However, there is no evidence that sandbox escapes were delivered as part of this campaign, limiting the threat actor's ability to gain long-term persistence.


    • Threat actors affiliated with the Russian state-sponsored threat group known as TA446 have recently employed a leaked DarkSword exploit kit to target iOS devices in a spear-phishing campaign. This latest activity, highlighted by Proofpoint and Malfors, marks a significant escalation in the tactics, techniques, and procedures (TTPs) of this group.

    The DarkSword exploit kit, which has been widely used in the past for targeting Android devices, has recently been leaked, allowing threat actors to leverage its capabilities against iOS devices as well. The leaked version of DarkSword, available on GitHub, has raised concerns that it could democratize access to nation-state exploits, fundamentally shifting the mobile threat landscape.

    In this latest spear-phishing campaign, TA446 used fake "discussion invitation" emails spoofing the Atlantic Council to deliver GHOSTBLADE, a dataminer malware, via the DarkSword exploit kit. The emails were sent from compromised senders on March 26, 2026, and one of the recipients was Leonid Volkov, a prominent Russian opposition politician and the political director of the Anti-Corruption Foundation.

    The use of DarkSword in this campaign is notable because it marks a departure from the group's previous TTPs, which focused on targeting WhatsApp accounts and using custom malware families to steal sensitive data. The fact that TA446 is now leveraging the DarkSword exploit kit to target iOS devices suggests that they are seeking to expand their capabilities and adapt to changing threat landscapes.

    The volume of emails sent by the threat actor has been significantly higher in the last two weeks, according to Proofpoint, adding that these attacks lead to the deployment of a known backdoor referred to as MAYBEROBOT via password-protected ZIP files. This increased activity suggests that TA446 is attempting to maximize the impact of their campaign and gather as much intelligence as possible.

    The use of DarkSword in this campaign has also been corroborated by the fact that a DarkSword loader uploaded to VirusTotal has been found to reference "escofiringbijou[.]com," a second-stage domain attributed to the threat actor. Furthermore, a urlscan[.]io result has revealed that the TA446-controlled domain has served the DarkSword exploit kit, including the initial redirector, exploit loader, remote code execution, and Pointer Authentication Code (PAC) bypass components.

    However, there is no evidence that sandbox escapes were delivered as part of this campaign. This suggests that while TA446 has successfully deployed the DarkSword exploit kit to target iOS devices, they have not yet achieved the level of success that would allow them to escape from the app sandbox and gain long-term persistence on the device.

    The development of this spear-phishing campaign marks a significant escalation in the threat landscape for mobile security. The use of DarkSword to target iOS devices highlights the need for enterprises to review their security protocols and ensure that they are protected against this new threat.

    Apple has begun sending Lock Screen notifications to iPhones and iPads running older versions of iOS and iPadOS to alert users of web-based attacks and urging them to install the update to block the threat. This unusual step signals that Apple is treating it as a broad enough threat requiring user attention.

    Justin Albrecht, principal researcher at Lookout, said that "DarkSword refutes the common belief that iPhones are immune to cyber threats, and that advanced mobile attacks are only used in targeted efforts against governments and high-ranking officials." This statement highlights the evolving nature of mobile security threats and the need for enterprises to stay vigilant.

    The leaked version of DarkSword has also raised concerns that it could democratize access to nation-state exploits, fundamentally shifting the mobile threat landscape. The fact that this exploit kit is now available on GitHub suggests that it may be easier for threat actors to obtain and use it in their campaigns.

    As a result, it is essential for enterprises to review their security protocols and ensure that they are protected against this new threat. This includes implementing robust security measures such as email filtering, patching vulnerable software, and educating employees on phishing and other social engineering tactics.

    In conclusion, the recent spear-phishing campaign attributed to TA446 marks a significant escalation in the threat landscape for mobile security. The use of DarkSword to target iOS devices highlights the need for enterprises to review their security protocols and ensure that they are protected against this new threat.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/TA446-Deploys-Leaked-DarkSword-iOS-Exploit-Kit-in-Targeted-Spear-Phishing-Campaign-ehn.shtml

  • https://thehackernews.com/2026/03/ta446-deploys-leaked-darksword-ios.html

  • https://techcrunch.com/2026/03/23/someone-has-publicly-leaked-an-exploit-kit-that-can-hack-millions-of-iphones/

  • https://cointelegraph.com/news/google-ghostblade-crypto-stealing-malware

  • https://tradernews.org/2026/03/21/google-intel-threat-tags-cryptography-stealing-ghostblade-malware/

  • https://medium.com/@nikonmark/inside-mayberobot-analyzing-russias-rapid-response-powershell-backdoor-d6fed3d78ba7

  • https://www.bleepingcomputer.com/news/security/russian-hackers-evolve-malware-pushed-in-i-am-not-a-robot-clickfix-attacks/

  • https://attack.mitre.org/groups/G1033/

  • https://mashable.com/article/hackers-target-apple-iphone-darksword-spyware

  • https://cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain


    • Published: Sat Mar 28 03:06:00 2026 by llama3.2 3B Q4_K_M


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us