TA 446 is reported to have deployed the leaked DarkSword iOS exploit kit in a targeted spear-phishing campaign, according to The Hacker News. Proofpoint disclosed details of a targeted email campaign in which threat actors with ties to Russia leverage DarkSword to target iOS devices, with high confidence attributed to TA446, a Russian state-sponsored group also known as Callisto, COLDRIVER and Star Blizzard and reportedly affiliated with Russia’s FSB.
The campaigns have previously pursued credentials from a range of sectors, but the latest activity involved fake “discussion invitation” emails spoofing the Atlantic Council to deliver GHOSTBLADE, a dataminer malware, via the DarkSword exploit kit; the emails were sent on 26 March 2026 and one recipient was Leonid Volkov, a Russian opposition politician. An automated analysis redirected to a benign decoy PDF document, and there is no evidence of sandbox escapes.
The researchers note that TA446 appears to be repurposing DarkSword for credential harvesting and intelligence collection, broadening the target set to government, think tanks, higher education, financial and legal entities, while Apple has urged users to update to block web-based attacks and a new version of DarkSword has appeared on GitHub.