Proofpoint has directly observed a targeted email campaign that delivers DarkSword RCE, and we attribute the messages to Russian FSB threat actor TA446 with high confidence. We have not previously observed TA446 target users’ iCloud accounts or Apple devices, but the adoption of the leaked DarkSword iOS exploit kit has now enabled the actor to target iOS devices. TA446 does not overlap with UNC6353.

On March 26, 2026, Proofpoint observed many compromised senders spoofing the Atlantic Council in a campaign that we attribute to TA446 (Callisto, COLDRIVER, Star Blizzard, which is linked to Russia’s FSB Centre 18). The volume of emails from TA446 has been significantly higher over the last 2 weeks compared to normal operational tempo delivering the MAYBEROBOT backdoor via password-protected ZIP files. The activity on March 26 was a similar spike, but with links instead of attachments. Proofpoint automated analysis was redirected to a benign decoy PDF, likely because of server-side filtering to only redirect iPhone browsers to the exploit kit.

New reports on TA446 using the DarkSword iOS exploit kit were intriguing. The DarkSword iOS exploit kit was recently published on GitHub, but Proofpoint had not yet observed it in use in the wild. A DarkSword loader uploaded to VirusTotal (MD5: 5fa967dbef026679212f1a6ffa68d575) referenced escofiringbijou[.]com, a TA446 second-stage domain independently observed by Proofpoint, corroborating the group's use of DarkSword.

A submission on URLScan (https://urlscan.io/result/019d2c02-e06f-773f-a7a8-72516045f0da/#transactions) confirmed that the TA446-controlled domain was serving the DarkSword exploit kit, including the initial redirector, exploit loader, RCE, and PAC bypass components. The sandbox escapes were not observed.

Related compromised first stage domains also include motorbeylimited[.]com and bridetvstreaming[.]org. Only the activity from March 26 spoofing Atlantic Council has been linked to DarkSword usage; previous TA446 activity shows no indication of exploit use.

Proofpoint did not directly observe the iOS exploit kit delivery but believe the actor has adopted the exploit kit for the purposes of credential harvesting and intelligence collection. The targeting Proofpoint observed in the email campaigns was much wider than usual and included government, think tank, higher education, financial, and legal entities, indicating that this new capability led TA446 to attempt to use DarkSword opportunistically against a broader target set. This is a notable adoption, as Proofpoint has not previously observed TA446 targeting iOS devices.

Proofpoint researchers identified a targeted campaign against operations personnel at energy firms linked to projects in Pakistan.

We track the activity as UNK_VaporVibes.

The messages were sent on 18 March 2026, and mimicked invitations to the upcoming Pakistan Energy Exhibition & Conference (PEEC).

The actor used compromised accounts from a Pakistani university and a government organization to deliver PDF attachments with a fake Adobe Reader prompt.

The notable part came after the click. The PDF link used the “microsoft-edge:” URI scheme before redirecting to a Cloudflare Workers hosted (*[.]adobe-org[.]workers[.]dev) ClickOnce application resource.

We assess that the Edge scheme handoff was likely intended to direct victims into the browser path that supports the next stage.

This is consistent with UNK_VaporVibes’ repeated use of ClickOnce-focused delivery.

The redirect chain was also wrapped in geofencing and browser fingerprinting, limiting access to intended targets. That likely reduced the exposure to automated analysis while keeping the delivery path tightly scoped.

The ClickOnce execution chain leads to the Havoc Demon C2 framework (https://github.com/HavocFramework/Havoc), an open-source post exploitation tool.

The targeting, the PEEC-themed PDF lure, Edge redirection, and ClickOnce staging aligns with prior UNK_VaporVibes activity and shows overlaps with activity publicly associated with SloppyLemming. (https://arcticwolf.com/resources/blog/sloppylemming-deploys-burrowshell-and-rust-based-rat-to-target-pakistan-and-bangladesh/).

Indicators of compromise:

7487abe753e73070612c6e8573af9d58791389813a5b54ddcf740f1391e2cd20 (Adobe.application)
Demon C2 host: soc[.]pkcrt-0ea[.]workers[.]dev

Suricata rule to detect the Microsoft Edge redirect:
2068325 - ET HUNTING 302 Redirect to Microsoft Edge Browser

The cloud threat research team at Proofpoint has discovered an account takeover campaign targeting around 40,000 users. Malicious activity has been recorded as early as Feb. 2nd, with a surge on Feb. 10th and a peak on Feb. 12th.

For a large number of users, the attacker initially attempted to login with the correct credentials, although in most cases, conditional access policies and MFA denied access. This suggests the attacker relied, at least in part, on stolen or leaked credentials.

Malicious login attempts correlated to this campaign seem to originate from an outdated Google Chrome browser, namely version 72, initially released in January 2019. Nowadays, this specific user agent is rarely observed in legitimate activity.

Login attempts correlated to this campaign originated from more than 200 distinct domains, most of which are commercial VPN providers and TOR exit nodes.

Moreover, this campaign solely targets the Microsoft Office 365 Portal.

IoCs:

User agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.109 Safari/537.36

Application ID: 00000006-0000-0ff1-ce00-000000000000 (Microsoft Office 365 Portal)

Since the start of Operation Epic Fury on February 28, 2026, Proofpoint researchers have observed heightened cyber activity against Middle East targets tied to the war. Our new blog shares examples of how the conflict in Iran is accelerating cyber espionage across the Middle East.

🔗: https://brnw.ch/21x0EJ8

Iran-aligned #TA453 ( #CharmingKitten #APT42 ) recently attempted credential phishing against a U.S. thinktank, continuing its longstanding intelligence collection efforts. At the same time, multiple state-sponsored actors, including groups suspected to be linked to China, Belarus, Pakistan, and Hamas, are targeting Middle Eastern government entities using conflict-themed lures, often sent from compromised government or diplomatic accounts.

This reflects both opportunistic social engineering and a broader shift in intelligence collection priorities driven by the conflict.

View the full blog to see campaign examples observed by our researchers. We will continue monitoring the landscape and keep our customers and community informed as the situation evolves.

Be sure to catch Daniel's presentation, "Welcome to the Endgame," alongside co-presenter Europol during #RSAC 2026.

🗓️ Wednesday, March 25
🕣 8:30 a.m. - 9:20 a.m.
⭐️ Session code FRP-W01

🚨 A major cybercriminal player, Tycoon 2FA, has been disrupted by law enforcement and private sector partners, including Microsoft, Europol, Proofpoint, Cloudflare, and TrendAI.

See our blog for details on the takedown of the popular phishing-as-a-service (PhaaS) platform announced today. https://brnw.ch/21x0s5G

⚠️ #Tycoon2FA is the highest volume adversary-in-the-middle (AiTM) phishing threat observed in our email data. Its disruption and the associated lawsuit filed by Microsoft and Health-ISAC will have a significant impact on the threat landscape.

We were proud to extend our human- and agent-centric security mission to assist in this investigation. Our vast threat telemetry enabled us to share unique insight into Tycoon 2FA activity and campaign data.

This Valentine’s Day invite came with a payload no one asked for. 💔 As February 14th nears, Proofpoint researchers warn of malicious Valentine’s Day-themed lures and threats.

⚠️ The screenshot below is of an actual lure recently sent from a compromised account.

This example, which was observed and blocked by our team, leveraged legitimate remote monitoring and management (RMM) as a first-stage payload. RMM attacks can result in data collection, financial theft, lateral movement, and the installation of follow-on malware, including ransomware.

Cybercriminals will always attempt to capitalize on current events, and Valentine’s Day is no exception. Such lures are designed to appear as legitimate emails from trusted sources, increasing the likelihood that a target clicks or engages. 💌

Proofpoint recommends that organizations:

• Train users to identify and report suspicious activity

• Restrict the download/installation of any unapproved RMM tooling

• Ensure networks detections alert on any activity to RMM servers

TA584 is one of the most prominent #cybercriminal threat actors tracked by Proofpoint threat researchers. In a new blog, the team shared a detailed analysis of the threat actor, its campaigns, attack chains, targeting, payloads, and shared defensive recommendations.

Blog: https://www.proofpoint.com/us/blog/threat-insight/cant-stop-wont-stop-ta584-innovates-initial-access

Our researchers have tracked #TA584 since 2020. In 2025, they observed shifts to TA584’s tactics, techniques and procedures (TTPs). Notably, it expanded global targeting; adopted ClickFix social engineering; and delivered new malware, Tsundere Bot.

⚠️ Such activity shows that static detections alone are not reliable against constantly evolving threat actors.

Explore the blog for more details along with protection tips, Emerging Threats Rules and IOCs.

Cloud threat researchers at Proofpoint have identified a peak in an ongoing brute force campaign targeting ‘Azure Active Directory Powershell.’

Behind the campaign—which has impacted over 100,000 users in over 3,000 tenants—is a cluster tracked as #UNK_BareZilla.

The campaign is signatured by the user agent ‘Mozilla/5.0’. As a standalone user agent, this string is uncommon and likely an attempt to blend in as generic activity.

Brute forcing attempts were primarily seen against ‘Azure Active Directory PowerShell’ (1b730954-1685-4b74-9bfd-dac224a7b894).

CLI applications can be an attractive target for brute force attacks, as access is more likely to be protected by single-factor authentication only.

The education sector has emerged as a primary victim of this campaign, with instances of post-access activity including spam sending and malicious mailbox rules for user accounts that were not protected by MFA.

In one instance of compromise, the actor used ‘One Outlook Web’ to create an inbox rule named “x” that deleted all incoming emails.

We continue to track this activity and will share any notable updates.