TA446 Uses DarkSword iOS Exploit Kit to Target iPhone Users
Proofpoint and other researchers said the Russia-linked threat group TA446—also tracked as Callisto, COLDRIVER, SEABORGIUM, and Star Blizzard—used the leaked DarkSword iOS exploit kit in a targeted spear-phishing campaign aimed at compromising iPhone users. On March 26, the actor sent spoofed Atlantic Council "discussion invitation" emails from compromised accounts, redirecting selected recipients to DarkSword infrastructure that delivered the GHOSTBLADE dataminer, while non-iPhone users were reportedly shown a benign PDF decoy. Researchers said this is the first observed case of TA446 targeting Apple devices and iCloud-related access.
The campaign was linked to TA446 through infrastructure overlaps, including VirusTotal samples referencing a TA446 second-stage domain and URLScan evidence showing a TA446-controlled domain serving DarkSword components. The operation also appeared broader than the group’s typical espionage activity, with targeting spanning government, think tanks, higher education, financial, and legal organizations. Apple separately warned users running older iOS and iPadOS versions to update because of active web-based attacks, while researchers cautioned that the leaked GitHub version of DarkSword could reduce the barrier to entry for advanced iPhone exploitation and help turn a nation-state capability into more widely available malware.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
Apple moves to backport DarkSword protections to older iOS 18 versions
By 2026-03-31, Apple said it would push rare backported security patches to protect users on older iOS 18 versions from DarkSword-related exploitation. The move followed criticism that affected users who had not upgraded remained exposed despite active attacks.
Proofpoint publicly discloses TA446's DarkSword iPhone campaign
On 2026-03-28, Proofpoint disclosed the targeted spear-phishing campaign using the leaked DarkSword iOS exploit kit and assessed it as a broader-than-usual TA446 operation. The disclosure highlighted the group's shift into Apple-device and iCloud-focused targeting.
Apple warns users on older iOS and iPadOS versions to update
Apple issued warnings for users running older iOS and iPadOS versions to update their devices because of active web-based attacks. The warning coincided with public reporting on DarkSword exploitation activity.
Researchers link TA446 infrastructure to DarkSword components
Proofpoint and other researchers connected the phishing activity to TA446 using infrastructure overlaps, including VirusTotal samples referencing a TA446 second-stage domain and URLScan evidence of a TA446-controlled domain delivering DarkSword components.
Leaked DarkSword exploit kit becomes publicly available on GitHub
Researchers said a leaked GitHub version of the DarkSword iOS exploit kit became available prior to the observed campaign, lowering the barrier to entry for advanced iOS exploitation and potentially commoditizing a previously nation-state-grade capability.
TA446 uses DarkSword to target iPhone users and deliver GHOSTBLADE
In the same 2026-03-26 campaign, researchers found that iPhone users were redirected to DarkSword exploit infrastructure while non-iPhone users received a benign PDF decoy. The exploit chain was used to deliver the GHOSTBLADE dataminer and pursue iCloud-related access, marking the first observed TA446 targeting of Apple devices.
TA446 sends Atlantic Council-themed phishing emails from compromised accounts
On 2026-03-26, Proofpoint observed a surge of spoofed Atlantic Council discussion-invitation emails sent from compromised accounts and attributed with high confidence to Russia-linked TA446. The campaign targeted organizations across government, think tanks, higher education, financial, and legal sectors.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Apple Will Push Out Rare ‘Backported’ Patches to Protect iOS 18 Users From DarkSword Hacking Tool | WIRED
wired.com
Open sourceTA446 Hackers Deploying DarkSword Exploit Kit to Attack iOS Users
cybersecuritynews.com
Open sourceRussia-linked APT TA446 uses DarkSword exploit to target iPhone users in phishing wave - Security Affairs
securityaffairs.com
Open sourceTA446 Deploys Leaked DarkSword iOS Exploit Kit in Targeted Spear-Phishing Campaign
thehackernews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
DarkSword iOS Exploit Chain Used in Watering-Hole Attacks Against Ukrainians
Researchers from **Google**, **iVerify**, and **Lookout** disclosed **DarkSword**, a sophisticated iPhone exploit chain used in compromised websites to silently infect visitors, with observed targeting focused on **Ukraine** and additional activity tied to **Saudi Arabia, Turkey, and Malaysia**. The campaign is linked to suspected Russian operators, including activity tracked as **UNC6353**, and appears to support both **espionage** and **financial theft**, including the theft of saved passwords, text messages, and cryptocurrency wallet data. Reporting also indicates DarkSword is the second major iOS exploit kit recently found in the wild after **Coruna**, reinforcing concerns that advanced mobile exploitation is becoming more broadly operationalized rather than reserved for narrowly targeted, bespoke use. Technical analysis shows DarkSword used multiple chained vulnerabilities to achieve full device compromise on older iOS versions, including JavaScriptCore bugs **`CVE-2025-31277`** and **`CVE-2025-43529`** for remote code execution, **`CVE-2026-20700`** as a `dyld` PAC bypass, and sandbox escapes that pivoted from **WebContent** to the **GPU process** and then to `mediaplaybackd`. The exploit chain relied on first compromising **WebKit** and then abusing **WebGPU/ANGLE**-related paths to escape Safari’s sandbox, and Apple patched the flaws across later iOS releases including **18.6**, **18.7.3**, **26.2**, and **26.3**. Researchers warned that a substantial installed base of devices running **iOS 18 or earlier** remained exposed at the time of disclosure, making DarkSword notable both for its technical sophistication and for the scale of potentially vulnerable iPhones.
Apr 4, 2026
DarkSword iPhone Exploit Chain Drives Mass Hacking Risk and Emergency Apple Patches
Security researchers and media reports say the **DarkSword** iOS exploitation tool has moved from a targeted threat to a broader operational risk, with evidence that attackers can compromise hundreds of millions of iPhones and that exploit code has leaked publicly. Reporting from WIRED, Lookout, iVerify, and AppleInsider describes DarkSword as a powerful **zero-click** attack capability seen in the wild, raising concern that well-resourced espionage-style techniques are becoming more accessible to additional threat actors. Apple responded by issuing and then expanding protections, including rare **backported patches** for older supported devices to shield users who had not yet moved to newer iOS releases. iVerify said its investigations uncovered signs of zero-click mobile exploitation in the United States and warned that mass iOS attacks now represent a serious enterprise risk, while public reporting stressed that organizations and consumers should update affected iPhones immediately as leaked exploit code increases the likelihood of wider abuse.
May 25, 2026
Coruna iPhone Exploit Kit Linked to Russian Espionage and Criminal Use
Researchers reported that the **Coruna** iOS exploitation framework contains full exploit chains and roughly **23 exploits** targeting iPhones running **iOS 13 through 17.2/17.2.1**, and that it has been used by multiple threat actors, including **UNC6353**, a suspected Russian espionage group conducting watering-hole attacks against Ukrainian users, and **UNC6691**, a financially motivated China-based actor. The toolkit, also referred to as **CryptoWaters**, has been described as a rare case of **nation-state-grade iPhone exploitation** appearing in broader criminal operations, with post-exploitation activity including the **PLASMAGRID** payload and persistence through a process identified as `com.apple.assistd` that injects into the `powerd` daemon running as root. Reporting also highlighted competing views on the toolkit's origin. One account said evidence suggests parts of Coruna may have originated from **Trenchant**, a hacking and surveillance division of **L3Harris**, and later leaked into the wider ecosystem, ultimately reaching foreign intelligence services and cybercriminals. However, technical threat research noted that the **definitive origin remains unconfirmed**, even as analysts observed reuse of vulnerabilities associated with **Operation Triangulation** and CISA added **`CVE-2023-41974`** to the **Known Exploited Vulnerabilities** catalog after Google's publication. The story is substantive threat intelligence, not fluff, because it concerns an active exploit framework, real-world exploitation, and possible proliferation of advanced offensive capabilities.
Mar 27, 2026