As mobile threats grow more advanced, DarkSword iOS exploit TA446 campaign highlights how nation state actors are expanding their tactics to target Apple devices through sophisticated spear phishing operations.
Security researchers have uncovered a targeted email campaign linked to Proofpoint, revealing that the Russia aligned threat group TA446 is leveraging the DarkSword exploit kit to compromise iOS devices. The group, also known as Callisto, COLDRIVER, and Star Blizzard, is widely believed to be affiliated with Russia’s Federal Security Service.
The campaign used spoofed emails posing as invitations from the Atlantic Council to lure victims into opening malicious links. These emails were sent from compromised accounts and targeted individuals across multiple sectors, including government, academia, finance, and legal organizations. One known recipient was Leonid Volkov, underscoring the campaign’s political focus.
Once users interacted with the emails, the attack chain attempted to deliver GHOSTBLADE, a data mining malware, via the DarkSword exploit kit. Researchers observed that the exploit delivery was selectively triggered, redirecting only iPhone users to the malicious payload while presenting benign documents to others, a tactic designed to evade detection.
“We have not previously observed TA446 target users’ iCloud accounts or Apple devices, but the adoption of the leaked DarkSword iOS exploit kit has now enabled the actor to target iOS devices,” Proofpoint said.
The DarkSword framework includes multiple components such as exploit loaders, remote code execution capabilities, and mechanisms to bypass Apple’s Pointer Authentication Code protections. Evidence suggests the group is repurposing the tool primarily for credential harvesting and intelligence gathering.
In parallel, researchers identified the deployment of a backdoor known as MAYBEROBOT through password protected archive files, indicating that the campaign extends beyond initial exploitation to persistent access and data exfiltration.
The scale of the campaign appears broader than previous TA446 operations, suggesting a shift toward more opportunistic targeting. Analysts believe the availability of DarkSword may be enabling this expansion, lowering the barrier to executing advanced mobile attacks.
The threat has drawn attention from Apple, which has begun issuing lock screen alerts to users running outdated versions of iOS and iPadOS, urging them to update immediately. The warning reflects the seriousness of the vulnerability and its potential impact on a wide user base.
Concerns have intensified following reports that a new version of the DarkSword exploit kit has been leaked publicly, raising the possibility that such tools could become accessible to less sophisticated attackers. This development could significantly alter the mobile threat landscape by turning advanced espionage capabilities into more widely available attack tools.
“DarkSword refutes the common belief that iPhones are immune to cyber threats, and that advanced mobile attacks are only used in targeted efforts against governments and high-ranking officials,” said Justin Albrecht, principal researcher at Lookout.
The DarkSword iOS exploit TA446 campaign underscores a critical shift in cybersecurity, where mobile platforms are increasingly targeted by sophisticated adversaries. As exploit kits become more accessible, organizations and individuals must adopt stronger security practices, including timely updates and heightened awareness of phishing threats, to defend against evolving risks.
Recommended Cyber Technology News:
- Internet Systems Consortium (ISC) Releases BIND Updates to Fix Critical DNS Flaws
- EclecticIQ 3.7 Enhances Cyber Threat Intelligence
- Discord Halts Age Verification Amid Cybersecurity Concerns
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
