Proofpoint recently identified a Russian-aligned cyberattack using the DarkSword exploit kit to target iPhone users through deceptive emails. The operation, linked to the FSB-affiliated group TA446, used a fake invitation from the Atlantic Council to deliver GHOSTBLADE malware to high-profile figures.
Russian state-sponsored actors known as TA446 have launched a focused email operation utilizing the DarkSword exploit kit to compromise iOS devices. This group, which is also identified by names such as Callisto and Star Blizzard, is believed to operate on behalf of the Russian Federal Security Service. While their traditional methods involve spear-phishing for credentials, their recent tactics have expanded to include compromising WhatsApp accounts and deploying various custom malware families for data extraction.
The current campaign utilizes sophisticated social engineering by sending emails that appear to be discussion invitations from the Atlantic Council. These messages, sent from compromised accounts as recently as March 26, 2026, are designed to trick recipients into clicking links that lead to the delivery of GHOSTBLADE, a specialized dataminer. Notable targets of this specific wave include Leonid Volkov, a prominent Russian opposition leader associated with the Anti-Corruption Foundation.
The technical execution of the attack shows a high level of selectivity and evasion. When security tools attempt to analyze the malicious links, they are often redirected to harmless decoy PDF documents. This suggests that the attackers have implemented server-side filtering to ensure the exploit kit only activates when it detects a legitimate iPhone browser, protecting the infrastructure from discovery by automated scanners.
This shift toward mobile-specific exploits demonstrates an evolving strategy for Russian intelligence services as they pursue political targets. By moving beyond desktop systems and focusing on personal mobile devices, the group is able to access highly private communications and location data. The integration of the DarkSword kit indicates that these actors are quickly adopting new vulnerabilities to maintain their surveillance capabilities against dissidents and international policy organizations.
The discovery of this activity highlights the ongoing risk posed by state-aligned groups to individuals in the political and diplomatic sectors. As these threat actors refine their targeting and filtering mechanisms, the difficulty of detection increases for standard security software. Ongoing monitoring by organizations like Proofpoint remains essential for identifying these custom malware strains and protecting high-risk users from sophisticated state-sponsored intrusion.
Source:
