Proofpoint disclosed a targeted email campaign by Russia-linked TA446 that used the leaked DarkSword iOS exploit kit to target iPhones and iPads. The attacks spoofed the Atlantic Council, delivered the GHOSTBLADE dataminer and MAYBEROBOT backdoor, and prompted Apple to send Lock Screen warnings as DarkSword code leaked on GitHub. #TA446 #DarkSword
Keypoints
- Russia-affiliated TA446 used the leaked DarkSword exploit kit to target iOS devices by email.
- Emails spoofed the Atlantic Council and were sent from compromised senders on March 26, hitting targets including Leonid Volkov.
- The campaign delivered the GHOSTBLADE dataminer and deployed the MAYBEROBOT backdoor via password-protected ZIPs.
- A DarkSword loader referenced escofiringbijou[.]com and urlscan results show exploit kit components including a PAC bypass but no sandbox escapes.
- Apple issued Lock Screen warnings and the DarkSword GitHub leak risks democratizing advanced iOS exploits, per security researchers.
Read More: https://thehackernews.com/2026/03/ta446-deploys-leaked-darksword-ios.html