Russian APT Star Blizzard Adopts DarkSword iOS Exploit Kit - SecurityWeek

A Russian state-sponsored hacking group tracked as Star Blizzard has adopted the DarkSword iOS exploit kit in an ongoing campaign, Proofpoint reports. On Friday, investigation platform Malfors warned that a Russian threat actor has been using Atlantic Council lures in an email campaign delivering the DarkSword-linked GhostBlade malware. Shortly after, Proofpoint attributed the campaign to Star Blizzard, an APT associated with the Russian intelligence service FSB and which is also tracked as Callisto, ColdRiver, SeaBorgium, and TA446. According to the cybersecurity firm, the messages were observed on March 26 and originated from multiple compromised sender addresses. Over the past two weeks, Proofpoint says, Star Blizzard has significantly increased the volume of malicious emails compared to its normal operational tempo. The March 26 activity represented a similar spike in volume and marked another shift in attack tradecraft: the emails contained links instead of malicious attachments. “Proofpoint automated analysis was redirected to a benign decoy PDF, likely because of server-side filtering to only redirect iPhone browsers to the exploit kit,” the cybersecurity firm says. It also notes that it has found evidence that Star Blizzard has added the DarkSword iOS exploit kit to its arsenal, pointing out that this is the first time the APT has been seen targeting iCloud accounts and Apple devices. The evidence, Proofpoint notes, includes a DarkSword loader uploaded to VirusTotal that references a second-stage domain associated with the hacking group, and a submission on @URLScan showing the use of the exploit. The known Star Blizzard domain was “serving the DarkSword exploit kit, including the initial redirector, exploit loader, RCE, and PAC bypass components. The sandbox escapes were not observed,” Proofpoint says. The cybersecurity firm has not observed the exploit kit’s delivery, but believes that the Russian APT has adopted it for credential harvesting and intelligence collection after someone leaked it on GitHub. The Atlantic Council-themed campaign has targeted financial, government, higher education, and legal entities, as well as think tanks, “indicating that this new capability led TA446 to attempt to use DarkSword opportunistically against a broader target set,” Proofpoint notes. Related: Coruna iOS Exploit Kit Likely an Update to Operation Triangulation Related: Russian APT Exploits Zimbra Vulnerability Against Ukraine Related: Ex-US Defense Contractor Executive Jailed for Selling Exploits to Russia Related: Russia-Linked APT Star Blizzard Uses ClickFix to Deploy New LostKeys Malware, Google Warns WRITTEN BY Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Artemis Emerges From Stealth With $70 Million in Funding Splunk Enterprise Update Patches Code Execution Vulnerability NIST Prioritizes NVD Enrichment for CVEs in CISA KEV, Critical Software Cisco Patches Critical Vulnerabilities in Webex, ISE Ransomware Hits Automotive Data Expert Autovista Capsule Security Emerges From Stealth With $7 Million in Funding 100 Chrome Extensions Steal User Data, Create Backdoor Mirax RAT Targeting Android Users in Europe Latest News In Other News: Satellite Cybersecurity Act, $90K Chrome Flaw, Teen Hacker Arrested Another DraftKings Hacker Sentenced to Prison Lawmakers Gathered Quietly to Talk About AI. Angst and Fears of ‘Destruction’ Followed Recent Apache ActiveMQ Vulnerability Exploited in the Wild Two North Korean IT Worker Scheme Facilitators Jailed in the US ZionSiphon Malware Targets ICS in Water Facilities Cursor AI Vulnerability Exposed Developer Devices 53 DDoS Domains Taken Down by Law Enforcement Trending Webinar: A Step-By-Step Approach To AI Governance April 28, 2026 With "Shadow AI" usage becoming prevalent in organizations, learn how to balance the need for rapid experimentation with the rigorous controls required for enterprise-grade deployment. Register Virtual Event: Threat Detection And Incident Response Summit May 20, 2026 Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization. Register People on the Move ThreatModeler has appointed Kevin Gallagher as Chief Executive Officer. Thomas Bain has been appointed Chief Marketing Officer at Silent Push. The United States Department of War appointed David Vaughn as Technical Advisor for Data Infrastructure. More People On The Move Expert Insights Government Can’t Win The Cyber War Without The Private Sector Securing national resilience now depends on faster, deeper partnerships with the private sector. (Steve Durbin) The Hidden ROI Of Visibility: Better Decisions, Better Behavior, Better Security Beyond monitoring and compliance, visibility acts as a powerful deterrent, shaping user behavior, improving collaboration, and enabling more accurate, data-driven security decisions. (Joshua Goldfarb) The New Rules Of Engagement: Matching Agentic Attack Speed The cybersecurity response to AI-enabled nation-state threats cannot be incremental. It must be architectural. (Nadir Izrael) The Next Cybersecurity Crisis Isn’t Breaches—It’s Data You Can’t Trust Data integrity shouldn’t be seen only through the prism of a technical concern but also as a leadership issue. (Steve Durbin) Why Agentic AI Systems Need Better Governance – Lessons From OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) Flipboard Reddit Whatsapp Email