In a recent cybersecurity disclosure, Proofpoint has revealed a concerning email attack strategy employed by a threat group linked to Russian state interests. The attackers, identified as TA446, are utilizing the newly exposed DarkSword exploit to compromise iOS devices through targeted spear-phishing campaigns.
Russian-Linked Threat Group TA446
The group TA446, also known by names such as Callisto and COLDRIVER, is reportedly affiliated with Russia’s Federal Security Service (FSB). This entity is notorious for its spear-phishing operations aimed at acquiring credentials from high-value targets. Over the past year, TA446 has expanded its repertoire to include attacks on WhatsApp accounts and other malware tactics to steal sensitive information.
DarkSword Exploit in Action
According to Proofpoint and Malfors, the current campaign involves the use of deceptive ‘discussion invitation’ emails mimicking the Atlantic Council. These emails serve as a conduit for the GHOSTBLADE dataminer, deploying the DarkSword iOS exploit. The emails emerged from compromised accounts as of March 26, 2026, targeting figures like Leonid Volkov, a notable Russian opposition leader.
Proofpoint’s security tools detected that recipients were redirected to a harmless PDF document, a likely precaution to avoid detection, steering only iOS users to the exploit.
Implications and Wider Targeting
This marks a shift in TA446’s tactics, as they had not previously targeted Apple’s ecosystem. The adoption of DarkSword now allows these actors to exploit iOS devices effectively. The group has sent a notably higher volume of emails recently, deploying a backdoor known as MAYBEROBOT via encrypted ZIP files.
Evidence from VirusTotal and urlscan.io confirms the group’s use of DarkSword, with components like exploit loaders and code execution mechanisms identified. The breadth of targets has expanded beyond usual parameters, encompassing governmental, financial, and educational sectors, indicating a broader and more opportunistic attack campaign.
Apple’s Response and Future Considerations
In response, Apple has issued Lock Screen alerts to older iOS and iPadOS users, urging updates to counter the threat. This move highlights the severity, as Apple seeks to mitigate the risk posed by the exploit’s public leak on GitHub, which could democratize such nation-state-level threats.
Lookout’s principal researcher, Justin Albrecht, emphasized the risk posed by DarkSword’s accessibility, which may enable less sophisticated actors to execute advanced iOS attacks, challenging the perception of iPhone’s security invulnerability.
This development underscores the need for heightened vigilance in mobile security, as the landscape evolves with the proliferation of advanced exploits like DarkSword.
