Cybersecurity researchers have uncovered a sophisticated spear-phishing campaign in which the Russian state-linked hacking group TA446 is using the recently leaked DarkSword exploit kit to target iOS devices.
The campaign, tracked by Proofpoint and corroborated by Malfors, reportedly impersonates the Atlantic Council in fake “discussion invitation” emails. The malicious messages deliver GHOSTBLADE, a data-mining malware, via the DarkSword kit. One notable recipient of the emails was Leonid Volkov, a prominent Russian opposition figure and political director of the Anti-Corruption Foundation.
TA446, also known in the cybersecurity community as Callisto, COLDRIVER, and Star Blizzard, is widely believed to operate under the auspices of Russia’s Federal Security Service (FSB). Historically, the group has focused on spear-phishing attacks to steal credentials, targeting platforms like WhatsApp and deploying custom malware families to exfiltrate sensitive information.
Exploit Kit Enables iOS Targeting
According to Proofpoint, this marks a significant shift for TA446, which had not previously been observed targeting Apple devices or iCloud accounts. The leaked DarkSword exploit kit allows the group to bypass standard iOS security, deploying malware via password-protected ZIP files and launching a backdoor known as MAYBEROBOT.
Analysis of the kit shows TA446-controlled infrastructure, including domains such as escofiringbijou[.]com, used as second-stage hosts. A detailed inspection via urlscan.io confirmed the presence of the full DarkSword exploit chain, including redirectors, exploit loaders, and remote code execution mechanisms with Pointer Authentication Code (PAC) bypass. Researchers, however, found no evidence that sandbox escapes were being executed.
The campaign’s scope extends beyond typical targets, including government, think tank, higher education, financial, and legal sectors. This broader targeting suggests TA446 is leveraging DarkSword opportunistically for credential theft and intelligence collection.
Apple Issues Security Alerts
In response to the rising threat, Apple has begun sending Lock Screen notifications to devices running older versions of iOS and iPadOS, warning users of web-based attacks and urging immediate updates. The proactive alerts underscore the seriousness of the DarkSword leak and the potential for widespread exploitation.
Security experts, including Justin Albrecht from Lookout, warn that the leaked DarkSword kit lowers the barrier for cybercriminals, allowing even inexperienced attackers to deploy advanced iOS espionage tools. “DarkSword challenges the assumption that iPhones are immune to sophisticated attacks,” Albrecht said, emphasizing that mobile threats are no longer confined to high-value government or corporate targets.
The emergence of this campaign highlights a rapidly evolving mobile threat landscape, where nation-state exploits, once tightly controlled, are becoming accessible to a wider range of malicious actors.
