HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

TA446 Leverages DarkSword iOS Exploit Kit in Targeted Spear‑Phishing Campaign Against Mobile Users

Proofpoint reports that Russian‑state‑sponsored group TA446 is running a spear‑phishing campaign that drops the DarkSword iOS exploit kit. The zero‑day kit can compromise iOS devices, exposing credentials and corporate data. Organizations allowing iOS access must reassess mobile security controls.

LiveThreat™ Intelligence · 📅 March 28, 2026· 📰 thehackernews.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
3 sector(s)
Actions
5 recommended
📰
Source
thehackernews.com

TA446 Deploys DarkSword iOS Exploit Kit in Targeted Spear‑Phishing Campaign Against Mobile Users

What Happened – Proofpoint uncovered a high‑confidence attribution of a Russian‑state‑backed group (TA446, also known as Callisto) running a spear‑phishing campaign that delivers the recently leaked DarkSword iOS exploit kit. The kit is used to execute zero‑day code on iOS devices, enabling the installation of credential‑stealing and surveillance payloads.

Why It Matters for TPRM

  • Mobile endpoints are increasingly used to access corporate resources; a compromise can bypass traditional network defenses.
  • The exploit targets zero‑day vulnerabilities, meaning standard antivirus and patch‑management may be ineffective.
  • Successful attacks can lead to credential theft, data exfiltration, and lateral movement into partner environments.

Who Is Affected – Technology SaaS providers, financial services firms, telecommunications operators, and any organization that permits iOS devices to access sensitive systems or data.

Recommended Actions

  • Review and tighten Mobile Device Management (MDM) policies; enforce encryption, app vetting, and jailbreak detection.
  • Ensure all iOS devices run the latest OS version and apply any emergency patches released by Apple.
  • Deploy advanced email security (DMARC, anti‑phishing AI) and user training focused on spear‑phishing indicators.
  • Conduct threat‑hunts for DarkSword IOCs across endpoint logs and network traffic.
  • Update incident‑response playbooks to include iOS‑specific containment and forensic steps.

Technical Notes – Attack vector: spear‑phishing emails with malicious links that trigger the DarkSword exploit kit on iOS. No public CVE IDs have been disclosed for the underlying zero‑day, but the kit is known to chain multiple iOS kernel vulnerabilities. Compromised data may include corporate credentials, email archives, and proprietary documents. Source: The Hacker News

📰 Original Source
https://thehackernews.com/2026/03/ta446-deploys-leaked-darksword-ios.html

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · PrivacyOps · CookiePLUS

Data exposure is where consent and DSAR readiness get tested.

When personal data leaks, regulators ask what consent you held and how fast you can answer a subject request. The Verisq AI Trust Operations platform, with CookiePLUS, keeps that posture audit-ready under GDPR and CCPA.

Explore the Verisq AI Trust Operations platform →