Russian state-sponsored hackers have begun weaponizing the recently leaked DarkSword iOS exploit kit in a targeted spear-phishing campaign, their first known attempt to compromise Apple devices and iCloud accounts. Proofpoint disclosed the campaign, attributing it to TA446, also known as Callisto, COLDRIVER, and Star Blizzard, which is affiliated with Russia’s Federal Security Service (FSB).
The campaign involves fake “discussion invitation” emails spoofing the Atlantic Council, sent from compromised accounts. These emails aim to deliver GHOSTBLADE, a dataminer malware, via the DarkSword exploit kit. Among the identified targets is Leonid Volkov, a prominent figure in Russia’s opposition and political director of the Anti-Corruption Foundation. Proofpoint noted that the campaign’s targeting encompasses a broader range of entities than usual, including government, think tanks, higher education, financial, and legal institutions.
Proofpoint has directly observed this email activity and attributes the messages to Russian FSB threat actor TA446 with high confidence. We have not previously observed TA446 target users’ iCloud accounts or Apple devices, but the adoption of the leaked DarkSword iOS exploit kit… https://t.co/iXi2fdlsZd
— Threat Insight (@threatinsight) March 27, 2026
TA446 has historically focused on credential-harvesting through spear-phishing attacks. However, the adoption of the DarkSword kit indicates an expansion into mobile exploitation. Proofpoint stated, “We have not previously observed TA446 target users’ iCloud accounts or Apple devices, but the adoption of the leaked DarkSword iOS exploit kit has now enabled the actor to target iOS devices.” The emails are specifically designed to exploit vulnerabilities on iPhones, redirecting non-iOS users to a benign PDF.
Proofpoint has observed a spike in TA446 email volume over the past two weeks, which coincides with other campaigns deploying the backdoor MAYBEROBOT via password-protected ZIP files.
The DarkSword exploit kit was initially uncovered by a joint investigation from the Google Threat Intelligence Group, Lookout, and iVerify. It exploits six vulnerabilities, including three zero-day flaws, affecting iPhones running iOS versions 18.4 through 18.7. A new version of the kit was leaked on GitHub on March 23, prompting concerns about the potential for less skilled threat actors to access advanced exploits. Justin Albrecht, principal researcher at Lookout, stated that “DarkSword refutes the common belief that iPhones are immune to cyber threats,” highlighting that the leaked version can be used by unskilled threat actors.
In response to these threats, Apple has initiated Lock Screen notifications for users with older iOS versions. These alerts warn of active web-based attacks and recommend immediate updates for devices running as old as iOS 17.0. Apple released updates iOS 15.8.7 and iOS 16.7.15 on March 11, allowing older devices to benefit from enhanced protections. Users on iOS 13 or 14 are required to update to iOS 15 to receive necessary patches. Additionally, Apple has advised users unable to update to enable Lockdown Mode, stating that it remains unaware of any successful spyware attacks against devices with this mode activated.
