430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

APT

Russia-linked APT TA446 uses DarkSword exploit to target iPhone users in phishing wave

Russia-linked TA446 is using the DarkSword iOS exploit kit in targeted phishing campaigns to compromise iPhone users. Russia-linked APT group TA446 (aka SEABORGIUM, ColdRiver, Callisto, and Star Blizzard) is using the DarkSword exploit kit in targeted spear-phishing campaigns against iOS devices. The attacks rely on malicious emails to compromise iPhones, highlighting a growing threat from […]

DarkSword exploit phishing

Russia-linked TA446 is using the DarkSword iOS exploit kit in targeted phishing campaigns to compromise iPhone users.

Russia-linked APT group TA446 (aka SEABORGIUM, ColdRiver, Callisto, and Star Blizzard) is using the DarkSword exploit kit in targeted spear-phishing campaigns against iOS devices. The attacks rely on malicious emails to compromise iPhones, highlighting a growing threat from advanced state-sponsored actors.

TA446 has been active since at least 2017, its campaigns involve persistent phishing and credential theft campaigns leading to intrusions and data theft. The APT group primarily targets NATO countries, but experts also observed campaigns targeting the Baltics, Nordics, and Eastern Europe regions, including Ukraine.

The group primarily focuses operations on defense and intelligence consulting companies, non-governmental organizations (NGOs) and intergovernmental organizations (IGOs), think tanks, and higher education. The APT also targets former intelligence officials, experts in Russian affairs, and Russian citizens abroad.

SEABORGIUM’s campaigns begin with a reconnaissance activity of target individuals, with a focus on identifying their contacts on social networks or the sphere of influence.

Proofpoint researchers have directly observed a phishing campaign attributed with high confidence to TA446. While the group had not previously targeted iCloud accounts or Apple devices, the use of the leaked DarkSword exploit kit now enables attacks against iOS users. Researchers also note that TA446’s activity does not overlap with UNC6353, confirming it as a distinct threat actor.

Malfors researchers also observed a targeted campaign delivering DarkSword RCE (GHOSTBLADE) via fake Atlantic Council “discussion invitation” emails.

On March 26, 2026, Proofpoint observed a surge in emails attributed to Russia-linked TA446, spoofing the Atlantic Council. The campaign showed higher-than-usual activity, previously delivering the MAYBEROBOT backdoor via password-protected ZIP files. In this wave, attackers used links instead of attachments. Analysis led to a benign PDF decoy, likely due to server-side filtering that redirected only iPhone users to the exploit kit, indicating targeted delivery tactics.

“New reports on TA446 using the DarkSword iOS exploit kit were intriguing.” continues ProofPoint. “The DarkSword iOS exploit kit was recently published on GitHub, but Proofpoint had not yet observed it in use in the wild. A DarkSword loader uploaded to VirusTotal (MD5: 5fa967dbef026679212f1a6ffa68d575) referenced escofiringbijou[.]com, a TA446 second-stage domain independently observed by Proofpoint, corroborating the group’s use of DarkSword.”

Analysis via URLScan confirmed that a TA446-controlled domain was delivering the DarkSword exploit kit, including redirector, loader, RCE, and PAC bypass components. However, the researchers haven’t observed any sandbox escapes in the attacks. The researchers identified additional compromised domains, such as motorbeylimited[.]com and bridetvstreaming[.]org. Notably, only the March 26 campaign spoofing the Atlantic Council has been linked to DarkSword, while earlier TA446 activity showed no use of exploits.

“Proofpoint did not directly observe the iOS exploit kit delivery but believe the actor has adopted the exploit kit for the purposes of credential harvesting and intelligence collection.” conclude the researchers. “The targeting Proofpoint observed in the email campaigns was much wider than usual and included government, think tank, higher education, financial, and legal entities, indicating that this new capability led TA446 to attempt to use DarkSword opportunistically against a broader target set. This is a notable adoption, as Proofpoint has not previously observed TA446 targeting iOS devices.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, TA446)