TA446 Deploys DarkSword iOS Exploit Kit in Targeted Spear-Phishing Campaign
TA446 Deploys DarkSword iOS Exploit Kit in Targeted Spear-Phishing Campaign
https://thehackernews.com/2026/03/ta446-deploys-leaked-darksword-ios.html
Publish Date: 2026-03-28 02:58:00
Source Domain: thehackernews.com
Proofpoint has disclosed details of a targeted email campaign in which threat actors with ties to Russia are leveraging the recently disclosed DarkSword exploit kit to target iOS devices.
The activity has been attributed with high confidence to the Russian state-sponsored threat group known as TA446, which is also tracked by the broader cybersecurity community under the monikers Callisto, COLDRIVER, and Star Blizzard (formerly SEABORGIUM). It’s assessed to be affiliated with Russia’s Federal Security Service (FSB).
The hacking group is known for spear-phishing campaigns aimed at harvesting credentials from targets of interest. However, attacks mounted by the threat actor over the past year have targeted victims’ WhatsApp accounts, as well as leveraged various custom malware families to steal sensitive data.
The latest activity, highlighted by Proofpoint and Malfors, involves using fake “discussion invitation” emails spoofing the Atlantic Council to facilitate the delivery of GHOSTBLADE, a dataminer malware, via the DarkSword exploit kit. The emails were sent from compromised senders on March 26, 2026. One of the email recipients was Leonid Volkov, a prominent Russian opposition politician and the political director of the Anti-Corruption Foundation.
An automated analysis triggered by Proofpoint’s security tools is said to have redirected to a benign decoy PDF document, likely because of server-side filtering put in place to only lead iPhone browsers to the exploit kit.
“We have not previously observed TA446 target users’ iCloud accounts or Apple devices, but the adoption of the leaked DarkSword iOS exploit kit has now enabled the actor to target iOS devices,” Proofpoint said.
The enterprise security firm also noted that the volume of emails from the threat actor has been “significantly higher” in the last two weeks, adding that these attacks lead to the deployment of a known backdoor referred…
