Russian State Hackers Deploy iOS Zero-Day Exploit Kit in Global Phishing Campaign

Russian state-sponsored hackers have launched a sophisticated global phishing campaign targeting iOS devices using the leaked DarkSword exploit kit, marking a significant escalation in mobile espionage capabilities.

Russian State Hackers Deploy iOS Zero-Day Exploit Kit in Global Phishing Campaign

The campaign, attributed to the Russian threat group TA446 (also known as Callisto, COLDRIVER, and Star Blizzard), represents the first observed use of the DarkSword exploit kit by this group. Proofpoint and Malfors researchers discovered the campaign targeting victims across government, think tanks, higher education, financial, and legal sectors.

How the Attack Works

The phishing emails spoof legitimate organizations, specifically the Atlantic Council, using fake "discussion invitation" subject lines. These emails were sent from compromised accounts on March 26, 2026, and contained links that redirect victims to the DarkSword exploit kit.

Once an iPhone user clicks the malicious link, the exploit kit attempts to compromise the device through several stages:

• Initial redirector that identifies iOS browsers
• Exploit loader that prepares the device for compromise
• Remote code execution components that establish initial access
• Pointer Authentication Code (PAC) bypass mechanisms that evade iOS security protections

The campaign also deploys secondary malware including GHOSTBLADE, a data miner, and MAYBEROBOT, a known backdoor delivered via password-protected ZIP files.

High-Profile Target

One notable recipient was Leonid Volkov, a prominent Russian opposition politician and political director of the Anti-Corruption Foundation. This targeting aligns with TA446's historical focus on political dissidents and opposition figures.

Broader Implications

The use of DarkSword by TA446 signals a concerning trend in mobile espionage. According to Justin Albrecht, principal researcher at Lookout, "DarkSword refutes the common belief that iPhones are immune to cyber threats, and that advanced mobile attacks are only used in targeted efforts against governments and high-ranking officials."

The leaked, plug-and-play version of DarkSword allows even unskilled threat actors to deploy advanced iOS espionage capabilities, effectively turning sophisticated nation-state tools into commodity malware.

Apple's Response

In response to the threat, Apple has begun sending Lock Screen notifications to iPhones and iPads running older iOS and iPadOS versions. These alerts warn users about web-based attacks and urge immediate updates to block the threat.

This unusual step demonstrates Apple's assessment that the DarkSword exploit poses a broad enough threat to require direct user notification, rather than relying solely on automatic security updates.

Technical Analysis

Security researchers found that TA446-controlled domains served the complete DarkSword exploit chain, including the initial redirector, exploit loader, and bypass components. However, there's no evidence that sandbox escapes were delivered in this campaign.

A DarkSword loader uploaded to VirusTotal referenced "escofiringbijou[.]com," a second-stage domain attributed to the threat actor, providing additional confirmation of TA446's use of the exploit kit.

Protection Recommendations

Organizations and individuals should:

• Update iOS and iPadOS devices to the latest versions immediately
• Be extremely cautious with unsolicited emails, especially those containing links
• Implement email filtering to detect and block phishing attempts
• Monitor for unusual device behavior that might indicate compromise
• Consider mobile device management solutions for enterprise environments

The campaign demonstrates that even sophisticated mobile operating systems like iOS remain vulnerable to targeted exploits, particularly when nation-state actors gain access to advanced tools. The democratization of such capabilities through leaks poses an ongoing challenge for mobile security.