Proofpoint has revealed details of a targeted email campaign in which Russian-linked threat actors are using the newly disclosed DarkSword exploit kit to target iOS devices.
The activity has been attributed with high confidence to the Russian state-sponsored threat group known as TA446, which is also tracked by the wider cybersecurity community under the monikers Callisto, COLDRIVER, and Star Blizzard (formerly SEABORGIUM). It is believed to be related to Russia’s Federal Security Service (FSB).
The group of hackers are known for phishing campaigns aimed at harvesting information from targets. However, an attack inspired by a threat actor in the past year targeted the WhatsApp accounts of victims, and helped various malware families to steal sensitive data.
The latest operation, highlighted by Proofpoint and Malfors, involved using fake “chat invitation” emails that targeted the Atlantic Council to facilitate the delivery of GHOSTBLADE, a dataminer malware, using the DarkSword exploit kit. Emails sent from vulnerable senders on March 26, 2026. One of the recipients of the email was Leonid Volkov, a prominent Russian opposition politician and political director of the Anti-Corruption Foundation.
An automated analysis initiated by Proofpoint’s security tools is said to have been redirected to a decoy PDF document, possibly due to server-side filtering designed to lead only iPhone browsers to the exploit kit.
“We have not previously identified iCloud accounts or Apple devices in TA446, but the adoption of the DarkSword iOS exploit kit has now enabled the attacker to target iOS devices,” Proofpoint said.
The enterprise security firm also noted that the volume of emails from the threat actor has been “very high” in the past two weeks, adding that the attack leads to the installation of a backdoor known as MAYBEROBOT via password-protected ZIP files.
The group’s use of DarkSword was further confirmed by the fact that a DarkSword downloader uploaded to VirusTotal was found to refer to “escofiringbijou[.]com,” a second-tier domain named by the threat actor.
urlscan[.]io result revealed that the domain controlled by TA446 used the DarkSword exploit kit, including initial redirection, exploit loader, remote code extraction, and Pointer Authentication Code (PAC) bypass components. However, there is no evidence that the sandbox escape was delivered.
It is suspected that TA446 is also using the DarkSword kit for warrants and intelligence gathering, and Proofpoint notes that the targeting identified in the email campaign was “much broader than usual” and included government, think tank, higher education, financial, and law enforcement agencies.
This, in turn, raised the possibility that a threat actor is using the new DarkSword-provided ability as part of an opportunistic campaign against a wider set of targets.
The development comes as Apple has started sending Lock Screen notifications to iPhones and iPads running older versions of iOS and iPadOS to alert users of web-based attacks and urge them to install an update to block the threat. The unusual move shows that the company treats it as a threat wide enough that it needs users’ immediate attention.
Apple’s warning also coincides with the leak of a new version of DarkSword on GitHub, which raises concerns that they could democratize access to state exploitation, essentially changing the mobile threat landscape.
Justin Albrecht, principal researcher at Lookout, said the leaked, plug-and-play version allows even unskilled threat actors to use an advanced iOS spy kit, creating malware.
“DarkSword challenges the common belief that iPhones are not immune to cyber threats, and that advanced mobile attacks are only used in efforts aimed at governments and senior officials,” Albrecht said.
