TA446 Uses DarkSword Exploit Kit to Target iPhone Users
Russia-linked espionage group TA446 has initiated a new phishing campaign using the DarkSword exploit kit to compromise iOS devices, leveraging Atlantic Council-themed lures.
This operation highlights the rapid weaponization of leaked iOS exploit chains against high-value policy and government targets.
Unlike earlier TA446 tactics relying on password-protected ZIP attachments with malware like MAYBEROBOT, this campaign uses URL-based delivery to redirect victims to DarkSword.
Proofpoint observed a spike in spear-phishing emails from TA446 spoofing Atlantic Council invitations on March 26, targeting government, think-tank, higher-education, financial, and legal organizations.
Sandboxed analysis received a benign PDF, indicating server-side filtering ensured only real iPhone browsers encountered the exploit chain.
DarkSword Exploit Kit
Researchers linked TA446’s DarkSword activity through second-stage domains and compromised redirectors.
The primary exploit-hosting domain is escofiringbijou[.]com, controlled by TA446 and used in prior phishing. Related redirectors are motorbeylimited[.]com and bridetvstreaming[.]org.
Only the March 26 Atlantic Council-spoofing activity uses DarkSword; previous TA446 campaigns showed no evidence of exploits or Apple device targeting.
Proofpoint assesses TA446 adopted DarkSword mainly for credential theft and intelligence collection, broadening its reach to iOS users without abandoning its focus on policy/civil-society targets.
DarkSword is a leaked iOS exploit chain allowing one-click compromise of specific iOS 18.x versions, combining Safari exploitation, RCE, PAC bypass, sandbox escape, and in-memory implants.
TA446 delivered redirector, loader, RCE, and PAC bypass stages via DarkSword but sandbox-escape components haven’t been observed yet.
Security analysts warn the DarkSword leak and TA446 weaponization lower the barrier for other actors to launch advanced iOS espionage campaigns.
Apple responded by pushing security updates and sending on-device notifications urging users on older iOS versions to patch immediately.
Mitigations for iOS users
Defenders should prioritize rapidly deploying the latest iOS and iPadOS security updates, as Apple patched the vulnerabilities.
High-risk users should treat unsolicited “event” or “roundtable” invitations with links as suspicious, verifying via trusted channels.
Mobile threat detection and managed threat-hunting focused on Safari exploits and anomalous iOS network activity are crucial.
Email gateways and web proxies can block TA446 infrastructure (escofiringbijou[.]com, motorbeylimited[.]com, bridetvstreaming[.]org) and enforce HTTPS inspection to detect exploit-kit traffic patterns.