Russian APT TA446 weaponizes leaked DarkSword exploit kit to target iPhones via spear-phishing

The leaked DarkSword iOS exploit kit is already being weaponized. Proofpoint attributes a new spear-phishing campaign to TA446 (also known as COLDRIVER/Star Blizzard), a Russian FSB-linked group that has never previously targeted Apple devices. The emails spoof Atlantic Council discussion invitations and redirect iPhone users to the exploit kit, which deploys the GHOSTBLADE dataminer. Proofpoint warns the targeting is unusually broad - hitting government, finance, legal, and education sectors.

Check

Ensure all company iPhones and iPads are updated, and alert staff about spoofed discussion invitation emails.

Affected

iPhones running iOS 18.4 through 18.7.1. TA446 targets government, think tank, higher education, financial, and legal organizations.

Fix

Update to iOS 18.7.2 or later. Block the domains escofiringbijou[.]com, motorbeylimited[.]com, and bridetvstreaming[.]org. Enable Lockdown Mode on high-risk devices.