- A Russian state-sponsored hacking group is now using the leaked DarkSword iOS exploit kit in targeted email attacks.
- The campaign spoofed the Atlantic Council to deliver malware, with one prominent Russian opposition figure among the targets.
- Enterprise security firm Proofpoint noted a significant increase in the volume of such attacks over the past two weeks.
- Apple has begun sending urgent Lock Screen notifications to users on older iOS versions to warn of the threat.
A Russian state-sponsored threat group known as TA446, linked to the FSB, is now targeting iOS devices using the powerful DarkSword exploit kit embedded within phishing emails, according to Proofpoint. This campaign, active in late March 2026, uses fake invitations from the Atlantic Council to implant malicious software.
Consequently, this represents a major escalation in the group’s tactics, which previously focused on credential harvesting. Targets now include government agencies, think tanks, and financial institutions, as Proofpoint and Malfors detailed.
The emails successfully delivered the GHOSTBLADE dataminer and MAYBEROBOT backdoor malware using the sophisticated kit. One recipient of these attack emails was Leonid Volkov, a noted Russian opposition leader.
However, automated analysis suggests some security tools saw only a decoy PDF. The server-side filtering likely delivered the exploit kit exclusively to iPhone browsers.
Proofpoint stated, “We have not previously observed TA446 target users’ iCloud accounts or Apple devices, but the adoption of the leaked DarkSword iOS exploit kit has now enabled the actor to target iOS devices.” Evidence linking the group to DarkSword includes malware referencing a known TA446-controlled domain.
A urlscan.io result revealed the technical components served by the domain. Meanwhile, the campaign’s wide targeting has raised concerns about opportunistic exploitation.
Simultaneously, Apple is issuing direct Lock Screen warnings to users on outdated iOS versions to update and block the threat. Meanwhile, as a VirusTotal file shows, the leak of DarkSword’s newer version on GitHub has alarmed experts.
Justin Albrecht, principal researcher at Lookout, warned about the kit’s commoditization. He added, “DarkSword refutes the common belief that iPhones are immune to cyber threats, and that advanced mobile attacks are only used in targeted efforts against governments and high-ranking officials.”
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
