RUSSIA-LINKED APT TA446, also known as SEABORGIUM and other aliases, is using the DarkSword iOS exploit kit in targeted spear-phishing campaigns aimed at iPhone users, with the attacks relying on malicious emails to harvest credentials. According to Proofpoint researchers, the group adopted the leaked DarkSword exploit kit to extend its operations to Apple devices, a shift that broadens TA446’s potential impact.
On 26 March 2026, a surge in TA446-driven emails spoofing the Atlantic Council was observed, with the campaign delivering the Mayberobot backdoor previously and now using links rather than attachments. Analysis showed that a benign PDF decoy and server-side filtering redirected only iPhone users to the exploit kit, indicating targeted delivery tactics.
The researchers noted that Proofpoint attributed the activity to the Russian FSB-backed TA446 with high confidence and that the new DarkSword capability marked a notable uptake for credential harvesting and intelligence collection. Several TA446 domains and infrastructure were identified, including compromised domains used to deliver the kit, though there had been no observed sandbox escapes in these attacks.