A Russian state-sponsored hacking group tracked as Star Blizzard has adopted the DarkSword iOS exploit kit in an ongoing campaign, according to Proofpoint. The campaign has used Atlantic Council-themed lures in an email campaign delivering the DarkSword-linked GhostBlade malware, with the messages observed on 26 March and originating from multiple compromised sender addresses.
Proofpoint notes that Star Blizzard, an APT associated with the Russian intelligence service FSB and also tracked as Callisto, ColdRiver, SeaBorgium, and TA446, has significantly increased the volume of malicious emails over the past two weeks, and that the tradecraft shifted from attachments to links. The firm asserts the DarkSword loader, a second-stage domain, and other components were added to Star Blizzard’s arsenal, marking the first observed targeting of iCloud accounts and Apple devices.
It also indicates that the attacker may be harvesting credentials and gathering intelligence after a GitHub leak of the kit, with evidence including a DarkSword loader on VirusTotal and a URLScan submission showing the exploit in use.