TA446 first targeted iPhones with the DarkSword iOS exploit kit
Summary of the campaign
The APT group TA446 — linked to the Russian Federal Security Service (FSB), widely known as COLDRIVER, Callisto, and Star Blizzard — has made an unprecedented tactical shift: targeting iOS devices and iCloud accounts for the first time, using the DarkSword exploit kit leaked on GitHub just three days earlier. The campaign was discovered by Proofpoint on March 26, 2026, with spear-phishing emails impersonating the Atlantic Council sent to targets in government, think tanks, higher education, finance, and legal organizations. The broader targeting scope compared to TA446's usual operations suggests the group is exploiting the opportunity from DarkSword becoming "publicly available." DarkSword exploits a chain of 6 CVEs (3 of which were zero-day at the time of discovery), affecting iOS 18.4 to 18.6.2 — approximately 221.5 million iPhones according to iVerify estimates. Apple has released patches in iOS 18.7.6 and iOS 26.3.1. Immediate action required: Update all iOS devices in the organization to the latest version and block the IOC domains listed in the article.
Event Timeline
| Time | Events |
|---|---|
| Mid-March 2026 | iVerify, Google Threat Intelligence Group, and Lookout discover DarkSword exploit kit — related to Coruna attack infrastructure, used against Ukrainian targets |
| March 23, 2026 | DarkSword source code leaked on GitHub, turning iOS full-chain exploit into a "commodity" that anyone can access |
| March 26, 2026 | TA446 deployed a large-scale spear-phishing campaign impersonating the Atlantic Council. Proofpoint detects "significant increase" in email volume compared to previous activity |
| March 27, 2026 | Proofpoint announces high confidence attribution via Twitter (@threatinsight). Malfors researchers independently confirmed the campaign |
| March 28–30, 2026 | Many security companies (SecurityAffairs, SecurityWeek, The Hacker News) reported in detail |
| Released | Apple patches entire chain: iOS 18.7.6 / iOS 26.3.1. Lock screen warning for devices running old versions |
Who is TA446?
TA446 is a state-sponsored attack group backed by Russia, operating under the FSB (Federal Security Service). The security community tracks this group under various names:
| Name | Vendor |
|---|---|
| TA446 | Proofpoint |
| COLDRIVER / ColdRiver | Google TAG |
| Star Blizzard (formerly SEABORGIUM) | Microsoft |
| Callisto | F-Secure |
| G1033 | MITER ATT&CK |
The group has been active since at least 2017, primarily targeting NATO countries, the Baltic region, Northern Europe, and Eastern Europe (including Ukraine). Key targets include: Defense and intelligence consulting organizations Non-governmental (NGO) and intergovernmental organizations (IGO) Think tanks, higher education institutions Former intelligence officials, experts on Russian affairs Russian citizens abroad Until this campaign, TA446 focused solely on credential phishing—stealing login information through fake websites. Adopting an iOS full-chain exploit marks a significant leap in technical capability.
Important note: Proofpoint confirms that TA446's activities do not overlap with UNC6353—the original operators of DarkSword/Coruna. These are two distinct threat actors, even though both use DarkSword.
Kill Chain: 3 attack branches, 1 email
The most notable aspect of this campaign is the server-side device fingerprinting mechanism—using the same phishing email, but with a completely different payload depending on the victim's device.
Attack vector
The email was sent from compromised accounts, impersonating an "invitation to discuss" from the Atlantic Council. One confirmed target by name is Leonid Volkov, a Russian opposition politician and Political Director of the Anti-Corruption Foundation. When the victim clicks the link in the email, the server routes:
| Thiết bị truy cập | Payload |
|---|---|
| iPhone / iPad (Safari) | Chuyển hướng tới DarkSword exploit kit → triển khai GHOSTBLADE data miner |
| PC (Windows/macOS) | Tải file ZIP có mật khẩu chứa MAYBEROBOT backdoor |
| Automated analysis tools (sandbox, crawler) | Trả về PDF vô hại (decoy) |
This technique is highly effective in terms of OPSEC: automated security company sandboxes only receive a clean PDF file, allowing the URL to temporarily "pass" through automated filters. The exploit chain is activated only when accessed by a real iPhone.
DarkSword: Anatomy of iOS exploit chain 7 stage
DarkSword is an exploit kit targeting iOS, discovered by iVerify, Google Threat Intelligence Group, and Lookout in mid-March 2026. This kit exploits a chain of 6 CVEs, including 3 zero-days at the time of discovery, targeting iOS 18.4 to 18.6.2. DarkSword shares attack infrastructure with the Coruna exploit kit—a similar tool used to attack targets in Ukraine, discovered two weeks earlier.
7-stage exploit chain
Stage 1 — Initial Compromise: The victim accesses a website containing a malicious iframe embedded from a phishing email link. Stage 2 — Loader Delivery: The script rce_loader.js checks the device's iOS version and selects the appropriate exploit package. This is the "quality control" point—only devices within the target range receive the exploit, reducing crash rates and detection. Stage 3 — Safari RCE (Remote Code Execution): Exploits a JIT (Just-In-Time) compilation vulnerability in Safari WebKit to establish arbitrary memory read/write capabilities. This is the gateway to executing code outside the browser's sandbox. Stage 4 — Sandbox Escape: Uses an ANGLE OOB Write (Out-of-Bounds Write) vulnerability in the graphics subsystem to jump from the Safari process to the GPU process—escaping the browser sandbox. Stage 5 — Daemon Compromise: Exploits a Copy-on-Write (COW) vulnerability in the AppleM2ScalerCSCDriver to infiltrate mediaplaybackd—a system daemon with broader access. Stage 6 — Kernel Privilege Escalation: The script pe_main.js establishes read/write capabilities at the kernel level—gaining complete control over the operating system, bypassing all application-level protections. Stage 7 — Implant Injection: Injects JavaScript into several critical system processes: SpringBoard (main interface), configd (network configuration), wifid (WiFi). This is the stage for deploying the GHOSTBLADE data miner.
PAC Bypass — The most notable technique
Pointer Authentication Code (PAC) is Apple Silicon's hardware security mechanism—each function pointer is cryptographically signed to prevent memory corruption attacks. DarkSword bypasses PAC by detecting that the internal structure of dyld (dynamic linker) resides in a writable stack memory area—allowing overwriting without PAC authentication.
The exploit also manipulates thread state to disable two additional protection mechanisms:
SPRR (System Page Read-only Region Register) — protects system memory regions
JIT Cage — limits the JIT code execution area
The CVE-2026-20700 bypass technique (PAC/TPRO bypass) demonstrates a deep understanding of Apple Silicon's hardware security architecture—previously seen only in state-developed exploits.
GHOSTBLADE: Comprehensive data miner
The final payload of the exploit chain is GHOSTBLADE—a data miner designed to collect nearly all data on the compromised iOS device.
Notable technical features:
Multi-process injection: Injects into multiple system daemons simultaneously (SpringBoard, configd, wifid, securityd) to access various APIs
WiFi credential theft using dual injection technique—injects simultaneously into both wifid (manages WiFi connections) and securityd (manages keychain) to extract saved WiFi passwords
Collects contacts, messages, emails, browser history, application data
MAYBEROBOT (Branch PC)
For victims accessing from a PC, TA446 uses the backdoor MAYBEROBOT—a tool previously deployed by this group in earlier campaigns. MAYBEROBOT is distributed via a password-protected ZIP file, a classic technique to bypass automated file scanning systems on email gateways.
IOC & Artifacts
Network Indicators
# C2 Domain (TA446 second-stage, confirmed)
escofiringbijou[.]com
# Compromised domains delivering DarkSword
motorbeylimited[.]com
bridetvstreaming[.]org
File Hashes
5fa967dbef026679212f1a6ffa68d575
Note: The SHA-256 hash has not been publicly disclosed at the time of writing. The DarkSword loader on VirusTotal references the domain escofiringbijou[.]com, which corroborates that TA446 uses DarkSword.
Components confirmed via URLScan
Proofpoint confirms via URLScan that the domain controlled by TA446 is delivering DarkSword components:
✅ Redirector
✅ Loader
✅ RCE component
✅ PAC bypass component
❌ Sandbox escape component — not yet observed
The final point is crucial: Proofpoint has not confirmed that TA446 can deploy the entire exploit chain in practice. It's possible the group is still in the integration phase and has not yet mastered the entire DarkSword chain.
CVEs
DarkSword exploits 6 CVE:
CVE-2025-31277: Vulnerability in WebKit (patched in iOS 18.6).
CVE-2025-43529: Vulnerability related to garbage collection in the JIT class of JavaScriptCore/WebKit, allowing remote code execution (patched in iOS 18.7.3 and 26.2).
CVE-2026-20700: Vulnerability in the dyld component allowing attackers to bypass Pointer Authentication Codes (PAC) in user mode to execute malicious code (patched in iOS 26.3).
CVE-2025-14174: Memory corruption vulnerability in ANGLE/WebKit, used for sandbox escape via the GPU process (patched in iOS 18.7.3 and 26.2).
CVE-2025-43510: Memory management vulnerability in the iOS kernel, allowing attackers to gain the highest level of access (patched in iOS 18.7.2 and 26.1).
CVE-2025-43520: Memory corruption vulnerability in the iOS kernel (patched in iOS 18.7.2 and 26.1).
MITRE ATT&CK Mapping
The mapping below uses MITRE ATT&CK for Mobile combined with the Enterprise framework for the phishing section:
| Tactic | Technique | Campaign description |
|---|---|---|
| Initial Access | T1660 — Phishing | Phishing email Atlantic Council from compromised account |
| Initial Access | T1456 — Drive-By Compromise | Redirect iPhone to DarkSword exploit page |
| Execution | T1404 — Exploitation for Client Execution | Safari WebKit JIT exploit → RCE |
| Privilege Escalation | T1404 | Kernel exploit chain (PAC bypass → kernel R/W) |
| Defense Evasion | T1630.002 — Indicator Removal: File Deletion | Server-side filtering return decoy to sandbox |
| Collection | T1636 — Protected User Data | GHOSTBLADE collects contacts, messages, WiFi creds |
| Command & Control | T1437 — Application Layer Protocol | C2 through escofiringbijou[.]com |
MITRE ATT&CK Group: G1033 — Star Blizzard
Assessment
"National-level" exploit democratization
The main story here isn't TA446—it's the GitHub leak turning an iOS full-chain exploit into a commodity. Before March 23, 2026, a complete iOS exploit chain was worth millions on the black market, held by only a few top state actors and exploit brokers. Three days after the leak, an APT group known only for credential phishing successfully integrated at least part of the chain. Justin Albrecht from Lookout noted: "DarkSword has overturned the perception that iPhones are immune to cyber threats and that only government officials are targets of sophisticated mobile attacks." TA446 is likely just the first group discovered. With the source code public on GitHub, we predict more APT groups and even cybercriminal groups will adopt DarkSword in the coming weeks.
TA446 pivot: From phishing form to iOS full chain
This is a significant capability leap. TA446/COLDRIVER has been active for nearly 10 years with almost unchanged tactics: creating fake login pages and stealing passwords. WhatsApp account takeovers and the MAYBEROBOT backdoor were rare "upgrades."
Adopting DarkSword opens up a completely new attack vector—direct device infiltration instead of just credential theft. However, consider:
The sandbox escape component has not been observed in practice.
Proofpoint noted they "haven't directly observed the delivery of the iOS exploit kit," inferring from indirect evidence (DarkSword loader on VirusTotal referencing TA446's C2 domain).
It's possible TA446 is in the integration phase, not yet fully operating the entire chain.
Perspectives for organizations in Vietnam
iPhones are trusted by many business leaders, financial institutions, and government agencies in Vietnam—often with the belief that "iOS is more secure than Android." DarkSword's public release fundamentally challenges this assumption.
Key points to consider:
TA446 targets include think tanks and intergovernmental organizations—policy research institutes and international organizations operating in Vietnam are at risk.
DarkSword's public release means mobile risk is no longer theoretical. Previously, the iOS exploit chain was an exclusive nation-state weapon. Now, even motivated script kiddies can access it.
MDM (Mobile Device Management) and Apple Lockdown Mode need to be seriously reassessed—not as a "nice to have" but as essential defenses for personnel with access to sensitive information.
Recommendations
Immediate (0-24h)
Update iOS to version 18.7.6 or iOS 26.3.1 for all devices in the organization—no alternative workaround
Block IOC domains on DNS resolver and proxy:
escofiringbijou[.]com
motorbeylimited[.]com
bridetvstreaming[.]org
Scan the email gateway for spoofed emails from the Atlantic Council or similar international organizations over the past two weeks.
Issue an internal alert to senior personnel and those with access to sensitive information about this phishing campaign.
Short-term (1-7 day)
Review MDM compliance: Establish a minimum iOS version policy, force updates for non-compliant devices
Threat hunting in email logs: Look for email patterns with links (instead of attachments) from external senders impersonating international organizations
Audit VirusTotal/sandbox for DarkSword loader hash:
MD5: 5fa967dbef026679212f1a6ffa68d575
- Review web proxy logs for connections to the IOC domains listed above.
Long-term
Deploy Apple Lockdown Mode for high-risk personnel (C-level, IT admin, staff with access to sensitive data). Lockdown Mode significantly reduces the attack surface by disabling JIT compilation in Safari—exactly the vector exploited by DarkSword.
Evaluate MTD (Mobile Threat Defense) solutions like iVerify, Lookout, or Zimperium. These solutions can detect exploit chain behavior that traditional MDM does not cover.
Develop a playbook for mobile exploit incidents—most organizations have playbooks for endpoints (Windows/macOS) but lack procedures for iOS compromises.
Internal communication: Update awareness that "iPhone is more secure" is only true when devices are promptly updated. DarkSword operates fully on unpatched devices.
