Majmo3at TA446 Russia Kat-khdem "DarkSword iOS Exploit Kit" f-7amla Dyaltha l-Wasi3a l-Phishing
Majmo3at TA446 Russia Kat-khdem "DarkSword iOS Exploit Kit" f-7amla Dyaltha l-Wasi3a l-Phishing
TL;DR (L-kholasa)
L-majmo3a l-Roussiya TA446 (li me3roufa b-smiyat khrin b7al Callisto wala Star Blizzard), li tab3a l-dawla, khedmat l-akher tasribat dyal DarkSword exploit kit bach tistahdef l-ajhiza dyal iOS. B-fadel imaylat dyal "spear-phishing" kayserqo smiya dyal "Atlantic Council", l-majmo3a katsifet malware smito GHOSTBLADE u backdoors smit-hom MAYBEROBOT. Hadi khatwa kbira f-tactique dyal had l-actor, hit t7ewlo mn sreqt l-ma3loumat l-3adiya (credential harvesting) l-istihdaf l-motaqadim dyal l-howatif l-me7moula li tab3a l-hokomat, l-moasassat l-maliya, u l-qanouniya.
Moqadima: Tghyir f-Tactique
Tasribat jdida mn "Proofpoint" u "Malfors" kchefat 3la 7amla dyal imaylat mostahdafa u m3aqda lli darat-ha TA446, l-majmo3a li 3ndha 3alaqa m3a l-mokhabarat l-Roussiya (FSB). Me3roufa b-bezzaf dyal smiyat b7al Callisto, COLDRIVER, u Star Blizzard, u dima kant kat-fokusi 3la l-phishing bach tsreq l-passwords.
Walakin, kaynin dlayl jdad kibiynu belli had l-majmo3a dekhlat DarkSword iOS exploit kit l-arsenal dyalha. Hadi hiya l-merra l-lowla li chafou fiha TA446 kat-stahdef ajhiza Apple u l-hissabat dyal iCloud tichan, bach itwess3o f-l-jawssassa 3la l-howatif.
Tariqat l-Hojom: Da3wat f-Smiyat nass khrin
F-26 Mars 2026, TA446 bdat wahed l-7amla b-isti3mal hissabat imayl m-hackyin bach itsifto da3wat l-naqach (discussion invitation) k-aykounu "fake". Had l-imaylat sta3mlo smiyat Atlantic Council bach ikessbu l-tiqa dyal l-ahdaf l-kbira. Wahed mn had l-ahdaf kan huya Leonid Volkov, siyassi roussi mo3arid u moudir dyal moasassat mo7arabt l-fassad.
Selselt l-hojom katzouz 3la had l-khatowat:
- L-ittisal l-lowel: l-dahaya kayselhom imayl fih link (rabit) fih l-malware.
- L-filtera f-l-server: L-hacker kaydir "filtering" bach ghir li mkhdem browser dyal iPhone huya lli imchi l-exploit kit. Mli l-adawat l-outomatikiya dyal Proofpoint llat l-links, lqawhom dizzouhom l-wahed l-file PDF 3adi, hadchi bach itخبّاو mn l-antivirus u scanners dyal l-amān.
- L-ikhtiraq (Exploitation): L-ahdaf li tsedat lihom l-msyada, katsifet lihom DarkSword exploit kit, li kaysahal dik l-sa3a l-moussiqa dyal GHOSTBLADE, lli huya malware kaysreq l-data.
Te7lil Tiqni dyal DarkSword
L-isti3mal dyal DarkSword mn taraf TA446 t-akked b-te7lil dyal l-infrastructure. Wahed l-loader t-upload-a f-VirusTotal kan fih link l-had l-domain escofiringbijou[.]com, li m3rouf tabe3 l-had l-majmo3a. Te7lilat khrin f-urlscan.io akdat belli had l-domain kan kaysiyet bezzaf dyal l-ajza' dyal DarkSword kit, mnha:
- Initial redirectors (Tahwilat l-lowla)
- Exploit loaders
- Remote Code Execution (RCE) modules
- Pointer Authentication Code (PAC) bypass components
Wakha had l-kit fih tigniyat mtawwra, l-ba7itin malqaw 7ta dalil 3la chi "sandbox escape" (khrouj mn l-idit l-amen) f-had l-7amla.
Tawssi3 Da'irat l-Istihdaf
F-l-madi, TA446 kant kat-khtar l-ahdaf dyalha b-3inaya kbira. Walakin, Proofpoint lta7dat belli l-kamm dyal l-imaylat li tsift f-had ju3 simanat l-khrin kan "ktar b-bezzaf" u l-ahdaf walat "wasi3a ktar mn l-3ada". L-li-sectors li tdarro daba fihom:
- Wikalat hokomiya
- Marakiz l-ab7at (Think tanks)
- Moasasast t-ta3lim l-3ali
- Moasassat maliya u qanouniya
Zid 3la de l-hojomat dyal iOS b-DarkSword, l-majmo3a mazal katsiyet l-backdoor MAYBEROBOT f-files ZIP b-password, hadchi kityin belli 3ndhom mnhajiya mota3adida bach ijme3o l-ma3loumat.
Democraticiyat l-Exploits
Dhour dyal DarkSword k-adāt f-id TA446 ja m3a l-waqt li t-leak-at (t-sarbet) fiha version "plug-and-play" dyal had l-kit f-GitHub. Khobara' dyal l-amn b7al Justin Albrecht mn Lookout, kay7edrou belli had l-tasrib kaydir "democratization" (radha f-id l-jami3) lil-exploits dyal l-mostawa dyal l-douwal.
Dakchi li kan ch-7al hadi adāt khassa r-mokhabarat dyal l-nokhba, daba walla malware mojoud f-souq, lli ikheli 7ta hackers 3adiyin ikhtariqo ajhiza iOS. Had l-waqi3 kay-t7adda l-fekra li kant 3nd nass belli l-iPhone dima m7mi mn l-khoutoura dyal l-internet.
Rad dyal Apple
F-wahed l-khoutwa masboqach, Apple bdat katsifet Notifications f-Lock Screen l-nas li mkhdemin versions qdam dyal iOS u iPadOS. Had l-tanbihat kat7edar men hojomat f-t-internet u katchaje3 nass bach idir Updates tichan bach i-bloki l-khatar. Had l-ijra' l-istibaqi kibiyn belli Apple kat-chouf tasrib dyal DarkSword khatar kbir 3la l-mostakhdimin dyalha.
Kholasa
L-isti3mal dyal DarkSword exploit kit mn taraf TA446 kityin wahed t-tatawor khatir f-l-3amaliyat l-electroniya dyal Russia. B-demj dyal l-hiyal l-ijtima3iya (social engineering) l-kadima m3a t-tiqniyat l-motaqadima dyal iOS, TA446 daba ghadya t-tkhata l-hawa jiz dyal l-amān li kant katzerhom ch-7al hadi.
M3a l-istimrar dyal tasribat l-adawat li katsna3 l-dawla l-l-omoum, l-7ajiz s3ib bach t-dar l-jawssassa 3la l-howatif bda kiti7. L-monadamat u l-achkhas li f-khatar khasshom it-akkdu belli ga3 ajhiza iOS m-updatyin l-akher version bach itfaday had l-exploit kits.
L-masdar: The Hacker News - TA446 Deploys DarkSword iOS Exploit Kit in Targeted Spear-Phishing Campaign