News & Commentary

Apple devices are being targeted by DarkSword exploit kit 🍎

Is it just me, or is Apple making the headlines a bit more frequently these days? (And not just because of the release of the Mac Neo I keep seeing ads for. 😅)

Security researchers have discovered a new iOS exploit kit called DarkSword. State-sponsored operators and commercial spyware vendors are already using it in the wild, and…it’s a nasty one, folks.

It targets 6 iOS vulnerabilities and can ultimately result in full device compromise, all with very little user interaction. It appears this activity is being used for surveillance purposes as DarkSword is being tied to UNC6353, a Russian espionage group targeting Ukraine.

Security researchers say that this kit enables threat actors to pull messages, contacts, call history, browser data, wifi credentials, photos, notes, health data, account details, and even crypto wallet information. That’s a lot of personal data. 😅

You might remember reading earlier this month about Coruna, another iOS exploit kit that compromised thousands of iPhones last year. At this point, we’re leaning more toward trend territory, because both Coruna and DarkSword share infrastructure. Both were used in watering hole attacks against Ukraine. That means that users don’t even have to click on a link to become infected. They just have to visit a compromised trusted site.

Of note, Apple has patched the vulnerabilities, but researchers say that hundreds of millions of devices might still be exposed if they haven’t updated to the latest iOS version. Surprise, surprise: The best thing you can do is patch your Apple devices.

Once a scammer, always a scammer…even from prison 🤷‍♂️

“Released on good behavior” will not be an upcoming news headline for one determined scammer. 😅

A convicted scammer who previously targeted athletes and celebrities for Apple account data apparently decided he didn’t want to give up his craft. From prison, he ran another phishing campaign, targeting professional NBA and NFL athletes. While impersonating someone else, he tricked victims into handing over their iCloud credentials and MFA codes under the guise of “sharing photos.”

Then, once he got those credentials and codes, he used the access to compromise iCloud accounts, steal financial info, credit card data, and other personal information. And then, he went on one heck of a shopping spree — to the tune of 2,000+ fraudulent transactions in a 4-year span. (And during part of this 4-year spree, he was actually already in prison for earlier crimes he’d committed. ☠️)

Now, 22 additional charges later, he’s being held without bail pending (yet another) trial.

Some people never learn. 🤦‍♂️

Recent (day job) write-up: Threat actor abuses free trial and is caught in the act 🎯

Hopefully you’ll humor me when I take a slice from the News & Commentary section to ramble about a recent happening at my day job at Huntress.

Joined by my Huntress colleagues Anna Pham and Jamie Levy, I investigated a malicious trial sign-up that ultimately morphed into all of us just being completely blown away by this threat actor (and not in a good way). Why? They decided to exfiltrate victim data into a free trial of Elastic Cloud SIEM. ☠️

But that’s just the tip of the iceberg. The Elastic instance the bad actor spun up pointed directly to a broader campaign affecting more than 200 victim hosts across dozens of orgs and industries.

Check out the full blog if you’d like to jump down one heck of a rabbit hole.

Sponsor

Learn how browser-based attacks have evolved — get the 2026 report

Most breaches today start with an attacker targeting cloud and SaaS apps directly over the internet. In most cases, there’s no malware or exploits. Attackers are abusing legitimate functionality, dumping sensitive data, and holding companies to ransom. This is now the standard playbook. 

The common thread? It's all happening in the browser. 

Get the latest report from Push Security to understand how browser-based attacks work, and where they’ve been used in the wild, breaking down AitM attacks, ClickFix, malicious extensions, OAuth consent attacks, and more. 

Email being clipped?

Here’s some actually helpful advice: You can view the email in your browser: https://johnhammond.beehiiv.com/p/cybersecurity-shenanigans-022.

(And as always, thanks for nothing, Clippy. 💙)

Just Hacking Training 🤓
March Announcements

Welcome to the World
of Hardware Hacking 😎

Learn from the best... Trevor Stevado AKA t1v0 is a Black Hat & DEF CON Trainer, DC Black Badge Winner, Co-Founder of the Embedded Systems Village, almost 20-year cybersecurity professional turned... homebrew supply store owner?!?! Passion project AND pentesting. He's amazing!

With included custom kit, hours of video, step-by-step instructions, hands-on labs, instructor walk-throughs and quizzes, this intro course is designed to give you the foundational skills needed to analyze, interact with, and exploit embedded systems at the hardware level.

Only $350 $280 (20% Launch Discount March Only)!

Meet me in San Francisco! 👋

Sounds like a song waiting to happen. 😅 Anyway, JHT has 2 brand new mini-workshops for hands-on hacking in the IoT Village.

Please stop by and say hi, do a little IoT hacking, and grab some swag at BSidesSF March 21-22 and RSAC 2026 March 23-26!

New Free Upskill Challenges!

Save Big with Bundles!

• The “Mishaal” Bundle: Get EVERYTHING Mishaal Khan has on JHT for only $345 (25% Off)! At a fraction of what he charges for a single in-person course, you get 4 courses (3 OSINT, 1 OpSec) & 2 geoINT Hack-Alongs.
• Mastering Active Directory Security (MADS) Volumes 1 – 3: (20% Off)
• WMD Intro Path includes courses 1 – 3: (46% Off)
• 7 CTF Bundle: 50% Off
• 7 Hack-Along Bundle: 75% Off

Discord | FB | IG | LinkedIn | RSS | Twitch | TikTok | X | YouTube

Forget the Noise. Get to Just Hacking!

(^ Can we just take a moment to appreciate that freeze frame? 😂)

I’ll be at RSAC!

Already mentioned the details in the Just Hacking Training updates, but I want to extend a personal invitation to you to come say hi if you’ll be there as well.

You know how these events are. You have a “station” you plan to be at, but then everything gets busy and you end up bouncing all over the place.

In other words, if you see me (at the booth or otherwise), please say hi! 👋

Are you loving this thing? Can it be improved? Either way, I want to know.

Please reply to this email and let me know what you’re loving — and what you’d love to see in the next edition.

Thank you!