A Russian state-sponsored hacking group tracked as Star Blizzard has adopted the DarkSword iOS exploit kit in an ongoing campaign, Proofpoint reports.
On Friday, investigation platform Malfors warned that a Russian threat actor has been using Atlantic Council lures in an email campaign delivering the DarkSword-linked GhostBlade malware.
Shortly after, Proofpoint attributed the campaign to Star Blizzard, an APT associated with the Russian intelligence service FSB and which is also tracked as Callisto, ColdRiver, SeaBorgium, and TA446.
According to the cybersecurity firm, the messages were observed on March 26 and originated from multiple compromised sender addresses.
Over the past two weeks, Proofpoint says, Star Blizzard has significantly increased the volume of malicious emails compared to its normal operational tempo.
The March 26 activity represented a similar spike in volume and marked another shift in attack tradecraft: the emails contained links instead of malicious attachments.
“Proofpoint automated analysis was redirected to a benign decoy PDF, likely because of server-side filtering to only redirect iPhone browsers to the exploit kit,” the cybersecurity firm says.
It also notes that it has found evidence that Star Blizzard has added the DarkSword iOS exploit kit to its arsenal, pointing out that this is the first time the APT has been seen targeting iCloud accounts and Apple devices.
The evidence, Proofpoint notes, includes a DarkSword loader uploaded to VirusTotal that references a second-stage domain associated with the hacking group, and a submission on @URLScan showing the use of the exploit.
The known Star Blizzard domain was “serving the DarkSword exploit kit, including the initial redirector, exploit loader, RCE, and PAC bypass components. The sandbox escapes were not observed,” Proofpoint says.
The cybersecurity firm has not observed the exploit kit’s delivery, but believes that the Russian APT has adopted it for credential harvesting and intelligence collection after someone leaked it on GitHub.
The Atlantic Council-themed campaign has targeted financial, government, higher education, and legal entities, as well as think tanks, “indicating that this new capability led TA446 to attempt to use DarkSword opportunistically against a broader target set,” Proofpoint notes.
Related: Coruna iOS Exploit Kit Likely an Update to Operation Triangulation
Related: Russian APT Exploits Zimbra Vulnerability Against Ukraine
Related: Ex-US Defense Contractor Executive Jailed for Selling Exploits to Russia
Related: Russia-Linked APT Star Blizzard Uses ClickFix to Deploy New LostKeys Malware, Google Warns
Facts Only
Russian state-sponsored hacking group Star Blizzard (also known as Callisto, ColdRiver, SeaBorgium, and TA446) has adopted the DarkSword iOS exploit kit.
The group is associated with Russia's FSB intelligence service.
A recent campaign involved emails with Atlantic Council-themed lures delivering GhostBlade malware.
The campaign was observed on March 26, originating from multiple compromised sender addresses.
Star Blizzard has increased the volume of malicious emails over the past two weeks.
The March 26 emails contained links instead of malicious attachments.
Proofpoint's automated analysis was redirected to a benign decoy PDF, with iPhone browsers redirected to the exploit kit.
Evidence includes a DarkSword loader uploaded to VirusTotal referencing a Star Blizzard-associated domain.
A URLScan submission showed the use of the exploit.
The known Star Blizzard domain served the DarkSword exploit kit components.
The campaign targeted financial, government, higher education, legal entities, and think tanks.
The exploit kit was likely leaked on GitHub.
Executive Summary
Full Take
The strongest version of this narrative highlights a concerning evolution in Russian cyber operations: a state-sponsored group rapidly adopting leaked exploit tools to target a broader range of victims, including Apple devices previously considered more secure. The shift from attachments to links suggests tactical adaptation, possibly to evade detection, while the focus on credential harvesting aligns with intelligence-gathering objectives. The use of Atlantic Council lures indicates a continued interest in influencing or monitoring Western policy circles.
Pattern scan: The narrative leans on authority (Proofpoint, Malfors) without over-reliance, and the technical details (VirusTotal, URLScan) provide verifiable anchors. No clear manipulation patterns are present, though the framing of "Russian threat" could subtly reinforce geopolitical narratives without explicit distortion.
Root cause: The paradigm here is the escalating cyber arms race, where state actors exploit leaked tools to maintain operational advantage. The unstated assumption is that attribution to Russia's FSB is definitive, though cyber attribution remains inherently probabilistic.
Implications: For human agency, this underscores the vulnerability of even well-secured systems (iOS) and the need for constant vigilance. The costs are borne by targeted institutions, while the benefits accrue to Russian intelligence. Second-order consequences may include increased scrutiny of Apple's security model and potential retaliatory cyber measures.
Bridge questions: How might the leak of DarkSword on GitHub alter the threat landscape beyond Star Blizzard? What countermeasures could mitigate the effectiveness of such exploit kits? Would evidence of non-state actors using similar tools change the strategic calculus?
Counterstrike scan: A coordinated influence campaign would amplify fears of Russian cyber dominance, possibly to justify expanded surveillance or military cyber budgets. The actual content, however, focuses on technical details and attribution without overt sensationalism, suggesting a clean alignment with factual reporting rather than manipulation.
Patterns detected: none
Sentinel — Human
The article shows strong signs of human authorship, with technical precision and specific attributions typical of cybersecurity reporting.
