A highly sophisticated iOS exploitation kit called DarkSword has recently fallen into the hands of a new group of Russian hackers. The Russian group TA446, also known as Callisto, is using it on a large scale in fake invitation emails.
The DarkSword iOS exploitation kit was discovered a few weeks ago. Mysteriously appearing on Github, the kit allows hackers to infiltrate iPhones that have not been updated for years. By luring the target to a trap website, the attack can take control of the device. By exploiting at least six security vulnerabilities, it can extract photos, messages, passwords, crypto data, location histories, then erase almost all traces of its activity in a few minutes. Active since late 2025, the kit is used by cybercriminals, including groups linked to Russia.
Shortly after DarkSword appeared on Github, Threat Insight researchers discovered a new campaign using the hacking kit. They noticed that the tool is now being utilized by the criminal group TA446, alias Callisto. Active since the fall of 2015, the gang is affiliated with Russia. They specialize in phishing campaigns targeting military personnel, government officials, and journalists in Europe and Ukraine. The gang is often known for its highly sophisticated phishing campaigns.
In their operations, cybercriminals have started using DarkSword. Russian hackers have mainly used the exploitation kit to trap officials in government agencies, organizations close to Ukraine, universities, research centers, banks, and lawyers.
According to researchers, hackers impersonate the Atlantic Council, an American think tank specializing in international relations and security issues, or similar institutions. The attack begins with the recipient receiving a specific email containing an event invitation or a document share. The email includes a link disguised as an event schedule, article, or conference page. If the victim clicks on the link, the attack will commence. The site displays credible content to avoid arousing suspicion. If the device is a vulnerable iPhone, DarkSword will exploit a series of vulnerabilities to take control.
The iPhone remains functional, and the user continues to browse normally. However, in the background, the virus steals all the data. As seen, the malware is still being used by criminals. To protect yourself, it is advised to keep your iPhone up to date.
