In a notable development, Proofpoint has reported on a targeted email campaign in which the Russian state-sponsored group TA446 is utilizing the recently disclosed DarkSword exploit kit to compromise iOS devices. This group, also known by various names including Callisto and Star Blizzard, is believed to have ties to Russia’s Federal Security Service (FSB).
Details of the Campaign
The campaign involved sending fake “discussion invitation” emails that spoofed the Atlantic Council, with the intent of delivering GHOSTBLADE, a dataminer malware, through the DarkSword exploit kit. These emails were dispatched from compromised accounts on March 26, 2026. Among the recipients was Leonid Volkov, a notable Russian opposition politician.
Technical Insights
Proofpoint’s automated analysis indicated that the emails redirected to a benign PDF document, likely due to server-side filtering aimed at directing iPhone users to the exploit kit. This marks a shift, as Proofpoint noted that they had not previously observed TA446 targeting iCloud accounts or Apple devices. The adoption of the DarkSword exploit kit now enables this capability.
Increased Activity and Targeting
In the past two weeks, the volume of emails from TA446 has significantly increased. These attacks have led to the deployment of a known backdoor referred to as MAYBEROBOT, which is distributed via password-protected ZIP files. The use of DarkSword has been confirmed through a loader uploaded to VirusTotal, which referenced a domain attributed to the threat actor.
Broader Implications
The targeting observed in this campaign is described as being “much wider than usual,” encompassing various sectors including government, think tanks, higher education, finance, and legal entities. This raises concerns that TA446 is leveraging the DarkSword exploit kit as part of a broader opportunistic campaign.
In response to these developments, Apple has begun notifying users of older iOS and iPadOS versions about potential web-based attacks, urging them to install updates to mitigate the threat. This proactive measure suggests that Apple views the situation as serious enough to warrant immediate user attention.
As the landscape of mobile threats evolves, the leak of a new version of DarkSword on GitHub has raised alarms about the potential democratization of access to sophisticated exploits, which could fundamentally alter the mobile security environment.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
