Full Report
Proofpoint has disclosed details of a targeted email campaign in which threat actors with ties to Russia are leveraging the recently disclosed DarkSword exploit kit to target iOS devices. The activity has been attributed with high confidence to the Russian state-sponsored threat group known as TA446, which is also tracked by the broader cybersecurity community under the monikers Callisto,
Analysis Summary
# Threat Actor: TA446
## Attribution & Identity
* **Name:** TA446
* **Aliases:** Callisto, COLDRIVER, Star Blizzard (formerly SEABORGIUM)
* **Associations:** Attributed with high confidence to the Russian state-sponsored apparatus, specifically assessed to be affiliated with Russia’s **Federal Security Service (FSB)**.
## Activity Summary
Proofpoint and Malfors identified a March 2026 campaign involving targeted spear-phishing that leverages a leaked version of the **DarkSword iOS exploit kit**. The campaign mimics communications from the Atlantic Council to deliver malware. This represents a significant shift in the group's capability, moving from standard credential harvesting to the direct exploitation of mobile devices.
## Tactics, Techniques & Procedures
* **Spear-Phishing:** Distribution of fake "discussion invitation" emails, often spoofing reputable organizations (e.g., Atlantic Council).
* **Compromised Infrastructure:** Sending emails via compromised third-party accounts.
* **Server-Side Filtering:** The exploit kit employs filtering to ensure only iPhone browsers are directed to the exploit, while other user agents (like security bots) are redirected to benign decoy PDF documents.
* **Use of Exploits:** Leverages the DarkSword exploit kit for remote code execution (RCE) and Pointer Authentication Code (PAC) bypass on iOS.
* **Malware Delivery:** Use of password-protected ZIP files to deliver backdoors.
* **Account Hijacking:** Historical focus on harvesting credentials for email and WhatsApp accounts.
**MITRE ATT&CK IDs (Inferred from context):**
* **T1566.001:** Phishing: Spearphishing Attachment
* **T1204.001:** User Execution: Malicious Link
* **T1203:** Exploitation for Client Execution
* **T1021.004:** Remote Services: SSH (related to backdoor activities)
## Targeting
* **Sectors:** Government, think tanks, higher education, financial, and legal entities.
* **Geography:** Primarily focused on Russian opposition figures and International entities of strategic interest to the Russian state.
* **Victims:** Specifically mentions Leonid Volkov (Russian opposition politician and director of the Anti-Corruption Foundation).
## Tools & Infrastructure
* **Exploit Kits:** DarkSword (iOS focused).
* **Malware:**
* **GHOSTBLADE:** A dataminer malware.
* **MAYBEROBOT:** A known backdoor.
* **Domains:**
* escofiringbijou[.]com (Second-stage domain/C2)
* **Compromised Entities:** Atlantic Council (spoofed).
## Implications
The adoption of the DarkSword exploit kit marks an evolution for TA446, enabling them to target non-PC environments (iOS/iCloud) which they previously did not frequent. The leakage of this kit on GitHub suggests a "democratization" of nation-state grade exploits, potentially increasing the volume and success rate of mobile-centric espionage campaigns by both TA446 and other actors.
## Mitigations
* **OS Updates:** Immediately update iOS and iPadOS to the latest versions to patch the vulnerabilities exploited by DarkSword.
* **Enable Lockdown Mode:** For high-risk individuals (politicians, activists), Apple’s Lockdown Mode provides extreme protection against web-based exploits.
* **Email Security:** Implement advanced email filtering that can detect sophisticated redirects and server-side filtering logic.
* **User Training:** Educate high-value targets on the risks of "discussion invitations" and the use of password-protected ZIP files from external sources.
* **MFA:** Utilize hardware-based Multi-Factor Authentication (MFA) to prevent credential harvesting from compromising accounts.