TA446 Deploys DarkSword iOS Exploit Kit in Targeted Spear-Phishing Campaign
Majmo3at TA446 Russia Kat-khdem "DarkSword iOS Exploit Kit" f-7amla Dyaltha l-Wasi3a l-Phishing
Russian Threat Group TA446 Deploys DarkSword iOS Exploit Kit in Wide-Ranging Phishing Campaign
TL;DR
The Russian state-sponsored group TA446 (also known as Callisto or Star Blizzard) is leveraging the recently leaked DarkSword exploit kit to target iOS devices. Using spear-phishing emails spoofing the Atlantic Council, the group is delivering GHOSTBLADE malware and MAYBEROBOT backdoors. The campaign represents a significant shift for the actor, moving from traditional credential harvesting to advanced mobile exploitation targeting government, financial, and legal entities.
Introduction: A Shift in Tactics
Recent disclosures from Proofpoint and Malfors have identified a sophisticated targeted email campaign orchestrated by TA446, a threat actor tied to Russia's Federal Security Service (FSB). Known by various aliases including Callisto, COLDRIVER, and Star Blizzard, this group has historically focused on spear-phishing for credential harvesting.
However, new evidence reveals that the group has integrated the DarkSword iOS exploit kit into its arsenal. This move marks the first time TA446 has been observed targeting Apple devices and iCloud accounts directly, expanding their capability to conduct mobile espionage.
The Attack Vector: Spoofed Invitations
On March 26, 2026, TA446 initiated a campaign using compromised email accounts to send fake "discussion invitation" emails. These messages spoofed the Atlantic Council to gain the trust of high-profile targets. One notable recipient was Leonid Volkov, a prominent Russian opposition politician and director of the Anti-Corruption Foundation.
The attack chain functions as follows:
- Initial Contact: Victims receive a spear-phishing email containing a malicious link.
- Server-Side Filtering: The threat actor employs filtering to ensure only iPhone browsers are directed to the exploit kit. When Proofpoint’s automated tools analyzed the links, they were redirected to a benign decoy PDF, likely an evasion tactic to hide the exploit from security scanners.
- Exploitation: Successful targets are hit with the DarkSword exploit kit, which facilitates the delivery of GHOSTBLADE, a dataminer malware.
Technical Analysis of DarkSword
The use of DarkSword by TA446 has been corroborated through infrastructure analysis. A loader uploaded to VirusTotal referenced the domain escofiringbijou[.]com, which has been attributed to the actor. Further analysis via urlscan.io confirmed that this domain served multiple components of the DarkSword kit, including:
- Initial redirectors
- Exploit loaders
- Remote Code Execution (RCE) modules
- Pointer Authentication Code (PAC) bypass components
While the kit is capable of advanced maneuvers, researchers noted that there is currently no evidence of successful sandbox escapes being delivered in this specific campaign.
Broadening the Target Set
Historically, TA446 has been highly selective. However, Proofpoint noted that the volume of emails has been "significantly higher" over the last two weeks, and the target set has become "much wider than usual." Impacted sectors now include:
- Government agencies
- Think tanks
- Higher education institutions
- Financial and legal entities
In addition to the iOS-specific DarkSword attacks, the group continues to deploy the MAYBEROBOT backdoor via password-protected ZIP files, suggesting a multi-pronged approach to intelligence collection.
The Democracy of Exploits
The emergence of DarkSword as a tool for TA446 coincides with the leak of a "plug-and-play" version of the kit on GitHub. Security experts, including Justin Albrecht of Lookout, warn that this leak "democratizes" access to nation-state level exploits.
What was once a highly specialized tool for elite intelligence agencies is now becoming commodity malware, allowing even less-skilled actors to compromise iOS devices. This shift challenges the long-held belief that iPhones are inherently immune to widespread cyber threats.
Apple’s Response
In an unusual move, Apple has begun sending Lock Screen notifications to users running older versions of iOS and iPadOS. These alerts specifically warn of web-based attacks and urge immediate updates to block the threat. This proactive measure signals that Apple views the DarkSword leak as a significant risk to its broader user base, necessitating urgent public action.
Conclusion
The adoption of the DarkSword exploit kit by TA446 represents a dangerous evolution in Russian state-sponsored cyber operations. By combining traditional social engineering with advanced mobile exploitation, TA446 is now capable of bypassing mobile security hurdles that previously limited their reach.
As nation-state tools continue to leak into the public domain, the barrier to entry for mobile espionage is falling. Organizations and high-risk individuals are advised to ensure all iOS devices are updated to the latest firmware immediately to mitigate the risk of web-based exploit kits.
Source: The Hacker News - TA446 Deploys DarkSword iOS Exploit Kit in Targeted Spear-Phishing Campaign
