Russian FSB-linked group deploys leaked iOS exploit kit

A nation-state threat actor has added a powerful mobile exploit kit to its arsenal for the first time, using a leaked version of DarkSword to target iPhone users across government, financial, legal, and higher education sectors.

What happened

The Russian state-sponsored hacking group known as TA446, also tracked as Callisto, COLDRIVER, and Star Blizzard, has deployed the DarkSword iOS exploit kit in a targeted spear-phishing campaign, marking the first documented use of mobile exploit capabilities by this threat actor. According to The Hacker News, the group sent phishing emails on March 26, 2026, from compromised sender accounts, impersonating the Atlantic Council with fake discussion invitation lures. The emails directed targets to infrastructure that delivered GHOSTBLADE, a data-stealing malware, via the DarkSword exploit kit to victims browsing on iPhones. TA446 is assessed to be affiliated with Russia's Federal Security Service (FSB) and is known primarily for credential-harvesting spear-phishing campaigns. Proofpoint, which detected the activity, said the targeting in this campaign was "much wider than usual," encompassing government, think tank, higher education, financial, and legal entities.

Going deeper

DarkSword is an iOS exploit kit that chains six vulnerabilities to achieve remote code execution, sandbox escape, and privilege escalation on iPhones running iOS versions 18.4 through 18.7. All six vulnerabilities have been patched by Apple in the latest iOS releases. According to BleepingComputer, CISA added three of the six DarkSword vulnerabilities to its catalog of actively exploited security flaws and ordered federal agencies to patch their devices by April 3, 2026. TA446's use of DarkSword appears to rely on a leaked version of the kit that was taken from another threat actor's infrastructure and uploaded to GitHub, lowering the barrier to access for the group without requiring them to develop the capability independently. Proofpoint noted that the campaign volume from TA446 has been "significantly higher" in the past two weeks, with attacks also delivering a known backdoor called MAYBEROBOT via password-protected ZIP files. Apple separately issued Lock Screen notifications to iPhones running older iOS versions, urging immediate updates in response to the broad exploitation of DarkSword and the related Coruna exploit kit.

What was said

Researchers told The Hacker News that TA446 "is using the same version of the exploit kit UNC6353 was using," confirming that the group accessed a leaked copy rather than developing the tool independently. They also said that the leaked plug-and-play version of DarkSword "allows even unskilled threat actors to deploy the advanced iOS espionage kit, turning it into commodity malware," and that "DarkSword refutes the common belief that iPhones are immune to cyber threats, and that advanced mobile attacks are only used in targeted efforts against governments and high-ranking officials."

In the know

The DarkSword exploit kit had been in active use by multiple threat actors before TA446 adopted it. According to The Hacker News, Apple began sending Lock Screen notifications warning users of web-based attacks after researchers at Lookout, iVerify, and Google's Threat Intelligence Group documented DarkSword being used by a suspected Russian espionage group tracked as UNC6353 in watering hole attacks against Ukrainian targets, and separately by a Turkish commercial surveillance vendor in campaigns targeting users in Turkey and Malaysia. The public availability of the exploit kit on GitHub has raised concern across the security community that a tool previously reserved for nation-state operations is now accessible to a much broader range of threat actors, fundamentally changing the mobile threat aspect.

The big picture

The adoption of a leaked iOS exploit kit by a Russian FSB-affiliated group underscores a growing pattern in which nation-state-grade attack tools proliferate into wider criminal and espionage use after being leaked or reverse-engineered. For healthcare organizations, the implications are direct: staff increasingly use iPhones as clinical and administrative devices, and spear-phishing campaigns that use impersonation lures and institutional trust to direct recipients to malicious links are among the most documented attack patterns in the sector. According to Paubox's Top 3 Healthcare Email Attacks report, impersonation attacks succeed because "email still treats identity as trustworthy by default," and healthcare workflows amplify the risk because urgent requests and trusted-sender communications are routine. When those emails now carry the potential to silently compromise an unpatched iPhone through a single link click, the risk extends from email security into mobile device management.

FAQs

What is DarkSword, and how does it work?

DarkSword is an iOS exploit kit that chains six vulnerabilities to achieve remote code execution and privilege escalation on iPhones running iOS 18.4 through 18.7. It operates via malicious web content, meaning a victim only needs to visit a compromised page or click a malicious link for their device to be exploited without any additional interaction.

What is TA446 and why is it significant?

TA446, also known as Callisto, COLDRIVER, or Star Blizzard, is a Russian state-sponsored group affiliated with the FSB and known for spear-phishing campaigns targeting government officials, journalists, and civil society. Its adoption of mobile exploit capabilities marks a great expansion beyond its traditional credential-harvesting approach.

How can iPhone users protect themselves from DarkSword attacks?

Updating to the latest iOS version patches all six vulnerabilities exploited by DarkSword. Users unable to update should consider enabling Lockdown Mode, available on devices running iOS 16 and later, which Apple has said massively reduces exposure to malicious web content.

Why does the public availability of DarkSword on GitHub matter?

Exploit kits previously required a lot of technical expertise to use, limiting them to well-resourced groups. Public availability lowers that barrier dramatically, meaning the same iOS attack capability used by nation-states can now be deployed by lower-skilled actors, substantially increasing the volume and variety of threats facing iPhone users.

What sectors were targeted in TA446's March 2026 campaign?

Proofpoint documented targeting across government, think tanks, higher education, financial institutions, and legal entities, a broader set than the group typically attacks, suggesting an opportunistic expansion in scope enabled by the newly accessible mobile exploit capability.