Russian-linked hackers weaponize leaked DarkSword against iPhones

2026-03-30 · Source: Dataconomy · Field: Technology & Digital — Cybersecurity & Data Privacy · Depth: Intermediate, quick

Summary

Russian state-sponsored hackers, identified as TA446 (affiliated with Russia's FSB), have launched a spear-phishing campaign weaponizing the recently leaked DarkSword iOS exploit kit to target Apple devices and iCloud accounts. This campaign, observed by Proofpoint, uses fake "discussion invitation" emails to deliver GHOSTBLADE dataminer malware, marking TA446's first known attempt at mobile exploitation beyond their usual credential-harvesting tactics. The DarkSword kit, which exploits six vulnerabilities including three zero-days affecting iOS versions 18.4-18.7, was leaked on GitHub on March 23, raising concerns about broader access to advanced exploits. Targets include prominent opposition figures and various institutions like government, finance, and education. In response, Apple has issued Lock Screen notifications and released updates (iOS 15.8.7, 16.7.15) while recommending Lockdown Mode for users unable to update.

Key takeaway

Russian state-sponsored hackers (TA446/FSB) are now weaponizing the leaked DarkSword iOS exploit kit in spear-phishing campaigns, marking their first known attempt to compromise Apple devices and iCloud accounts. This kit exploits six vulnerabilities, including three zero-days, affecting iOS 18.4-18.7, with its public leak increasing accessibility for less skilled actors. All users, especially those in targeted sectors like government and finance, must immediately update iOS and consider Lockdown Mode to defend against this advanced mobile threat.

Topics

• Russian State-Sponsored Hacking
• DarkSword iOS Exploit Kit
• TA446 Threat Actor
• Spear-Phishing Campaigns
• Mobile Exploitation

Best for: CTO, VP of Engineering/Data, Executive, Security Engineer, IT Professional, Tech Journalist

Related on AIssential

• Still running iOS 18? Install this critical update ASAP — Apple has released a critical security patch for iPhones and iPads still running iOS 18 and iPadOS 18, specifically versions 18.7.7, to protect against the dangerous DarkSword spyware exploit.
• Pro-Iran hacktivist group says it is behind attack on medical tech giant Stryker — A pro-Iran hacktivist group named Handala claimed responsibility for a cyberattack on U.S.
• How to turn on Lockdown Mode on iPhone - so even the FBI can't get in — Lockdown Mode offers extreme iPhone security by severely limiting features, primarily for high-risk users.
• Your router may be vulnerable to Russian hackers, FBI warns: 5 steps to take now — The FBI and NSA have issued new advisories warning that Russian GRU cybercrime group APT28 (aka Fancy Bear/Forest Blizzard) is actively targeting vulnerable routers globally, including small office/ho…
• Valid certificates, stolen accounts: how attackers broke npm's last trust signal — Automated trust signals in developer tools are broken by credential theft and design flaws, enabling widespread supply chain attacks.
• About Apple’s Privacy (Ep. 302) — Apple's "privacy brand" is an illusion, as its closed ecosystem makes iPhones prime targets for sophisticated state-sponsored surveillance.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by Dataconomy.