Russian state-sponsored threat group TA446 is now utilizing the leaked DarkSword exploit kit to target iOS devices through sophisticated spear-phishing campaigns aimed at government and financial entities.

Key points

• Cybersecurity firm Proofpoint identified TA446, also known as Star Blizzard, using the DarkSword exploit kit to target iPhone users.
• The campaign involves spoofed Atlantic Council emails delivering GHOSTBLADE malware and MAYBEROBOT backdoors to high-profile targets like Leonid Volkov.
• Attackers use server-side filtering to ensure only iOS browsers are redirected to the exploit kit, which includes remote code execution and PAC bypass capabilities.
• Apple has issued urgent Lock Screen notifications to users on older iOS versions, warning of web-based attacks and urging immediate software updates.
• The public availability of the DarkSword kit on GitHub has raised concerns that advanced nation-state-level mobile exploits are becoming accessible to less skilled threat actors.

The integration of the DarkSword exploit into broader phishing campaigns signals a significant shift in the mobile threat landscape, moving advanced espionage tools toward commodity-style malware. This development challenges the perception of iPhone immunity and forces both Apple and its users to adopt more aggressive security postures against web-based attacks.