Category: Uncategorized

Ravie LakshmananMar 28, 2026Mobile Security / Email Security

Proofpoint has disclosed details of a targeted email campaign in which threat actors with ties to Russia are leveraging the recently disclosed DarkSword exploit kit to target iOS devices.

The activity has been attributed with high confidence to the Russian state-sponsored threat group known as TA446, which is also tracked by the broader cybersecurity community under the monikers Callisto, COLDRIVER, and Star Blizzard (formerly SEABORGIUM). It’s assessed to be affiliated with Russia’s Federal Security Service (FSB).

The hacking group is known for spear-phishing campaigns aimed at harvesting credentials from targets of interest. However, attacks mounted by the threat actor over the past year have targeted victims’ WhatsApp accounts, as well as leveraged various custom malware families to steal sensitive data.

The latest activity, highlighted by Proofpoint and Malfors, involves using fake “discussion invitation” emails spoofing the Atlantic Council to facilitate the delivery of GHOSTBLADE, a dataminer malware, via the DarkSword exploit kit. The emails were sent from compromised senders on March 26, 2026. One of the email recipients was Leonid Volkov, a prominent Russian opposition politician and the political director of the Anti-Corruption Foundation.

“We have not previously observed TA446 target users’ iCloud accounts or Apple devices, but the adoption of the leaked DarkSword iOS exploit kit has now enabled the actor to target iOS devices,” Proofpoint said.

The enterprise security firm also noted that the volume of emails from the threat actor has been “significantly higher” in the last two weeks, adding that these attacks lead to the deployment of a known backdoor referred to as MAYBEROBOT via password-protected ZIP files.

The group’s use of DarkSword has also been corroborated by the fact that a DarkSword loader uploaded to VirusTotal has been found to reference “escofiringbijou[.]com,” a second-stage domain attributed to the threat actor.

A urlscan.io result has revealed that the TA446-controlled domain has served the DarkSword exploit kit, including the initial redirector, exploit loader, remote code execution, and Pointer Authentication Code (PAC) bypass components. However, there is no evidence that sandbox escapes were delivered.

It’s suspected that the TA446 is repurposing the DarkSword exploit kit for credential harvesting and intelligence collection, with Proofpoint noting that the targeting observed in the email campaign was “much wider than usual” and that it included government, think tank, higher education, financial, and legal entities.

This, in turn, has raised the possibility that the threat actor is leveraging the new capability afforded by DarkSword as part of an opportunistic campaign against a broader target set.

The development comes as Apple has begun sending Lock Screen notifications to iPhones and iPads running older versions of iOS and iPadOS to alert users of web-based attacks and urging them to install the update to block the threat. The unusual step signals that the company is treating it as a broad enough threat requiring users’ immediate attention.

Apple’s warning also coincides with the leak of a new version of DarkSword on GitHub, raising concerns that they could democratize access to nation-state exploits, fundamentally shifting the mobile threat landscape.

Justin Albrecht, principal researcher at Lookout, said the leaked, plug-and-play version allows even unskilled threat actors to deploy the advanced iOS espionage kit, turning it into commodity malware.

“DarkSword refutes the common belief that iPhones are immune to cyber threats, and that advanced mobile attacks are only used in targeted efforts against governments and high-ranking officials,” Albrecht added.

Ravie LakshmananMar 28, 2026Vulnerability / Network Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added a critical security flaw impacting F5 BIG-IP Access Policy Manager (APM) to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.

The vulnerability in question is CVE-2025-53521 (CVSS v4 score: 9.3), which could allow a threat actor to achieve remote code execution.

“When a BIG-IP APM access policy is configured on a virtual server, specific malicious traffic can lead to Remote Code Execution (RCE),” according to a description of the flaw in CVE.org.

While the shortcoming was initially categorized and remediated as a denial-of-service (DoS) vulnerability with a CVSS v4 score of 8.7, F5 said it has been reclassified as a case of RCE in light of “new information obtained in March 2026.”

The company has since updated its advisory to confirm that the vulnerability “has been exploited in the vulnerable BIG-IP versions.” It did not share any additional details on who may be behind the exploitation activity.

However, F5 published a number of indicators that can be used to assess if the system has been compromised –

• File-related indicators –
  • Presence of /run/bigtlog.pipe and/or /run/bigstart.ltm.
  • Mismatch of file hashes when compared to known good versions of /usr/bin/umount and/or /usr/sbin/httpd.
  • Mismatch of file sizes or timestamps when compared to known good versions of /usr/bin/umount and/or /usr/sbin/httpd.
  • Each release and EHF may have different file sizes and timestamps.
• Log-related indicators –
  • An entry in “/var/log/restjavad-audit..log” showing a local user accessing the iControl REST API from localhost.
  • An entry in “/var/log/auditd/audit.log.” showing a local user accessing the iControl REST API from localhost to disable SELinux.
  • Log messages in “/var/log/audit” show the results of a command being run in the audit log.
• Other TTPs observed include –
  • Modifications to the underlying components that the system integrity checker, sys-eicheck, relies on, resulting in a failure of the tool, specifically /usr/bin/umount and/or /usr/sbin/httpd, indicating unexpected changes to the system software as mentioned above.
  • HTTP/S traffic from the BIG-IP system that contains HTTP 201 response codes and CSS content-type to disguise the attacker’s activities.
  • Changes to the following three files, although their presence alone does not signal a security issue –
    • /var/sam/www/webtop/renderer/apm_css.php3
    • /var/sam/www/webtop/renderer/full_wt.php3
    • /var/sam/www/webtop/renderer/webtop_popup_css.php3

“We have observed cases of webshell being written to disk; however, the webshells have been observed to work in memory only, meaning the files listed above might not be modified,” F5 cautioned.

The issue impacts the following versions –

• 17.5.0 – 17.5.1 (Fixed in version 17.5.1.3)
• 17.1.0 – 17.1.2 (Fixed in version 17.1.3)
• 16.1.0 – 16.1.6 (Fixed in version 16.1.6.1)
• 15.1.0 – 15.1.10 (Fixed in version 15.1.10.8)

In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies have been given until March 30, 2026, to apply the fixes to secure their networks.

“When F5 CVE-2025-53521 first emerged last year as a denial-of-service issue, it didn’t immediately signal urgency, and many system administrators likely prioritized it accordingly,” watchTowr CEO and founder Benjamin Harris said in a statement shared with The Hacker News.

“Fast forward to today’s big ‘yikes’ moment: the situation has changed significantly. What we’re observing now is pre-auth remote code execution and evidence of in-the-wild exploitation, with a CISA KEV listing to back it up. That’s a very different risk profile than what was initially communicated.”

Defused Cyber, in an X post, has also confirmed that it’s seeing “acute scanning activity” for vulnerable F5 BIG-IP devices following the addition of CVE-2025-53521 to the KEV catalog.

“This actor is hitting /mgmt/shared/identified-devices/config/device-info which is a F5 BIG-IP REST API endpoint used to retrieve system-level information, such as hostname, machine ID, and base MAC address,” it said.