Breaking AI & Tech News Analyzed

Iran's regime has organised over 850 public demonstrations in support of the government since the beginning of the war, showcasing its resilience amid a month-long campaign of intensive airstrikes by the US and Israel. The high number of pro-regime gatherings and the increasing number of detentions underline the regime's determination to maintain control.The war began with a surprise Israeli strike that killed Ayatollah Ali Khamenei, Iran's supreme leader, and many senior officials. Despite this, the regime has not fragmented, and there are no defections. Experts say the messaging within Iran is that they are winning, and this is constant and consistent.Clionadh Raleigh, president of Acled, an independent conflict monitor, noted that the US-Israeli decapitation strategy could not have been more successful, but the regime has adapted. The Acled research also shows that the number of US and Israeli strikes on Iran has remained steady at between 47 and 102 attacks daily that have caused significant civilian casualties.Tehran's retaliation has been largely ineffective, causing only 70 fatalities during the war, compared with 1,157 killed inside Iran, of whom 341 have been identified as civilians. The researchers noted that 99.2% of protests were pro-regime, indicating a coordinated effort to show nationalist consolidation under external attack.The arrest campaign is the regime's primary domestic tool, with approximately 1,465-plus detained in 27 days. Charges escalated from 'filming damage' to 'espionage' and 'mercenary' as the conflict progressed. Details of such repression are difficult to obtain, but recent incidents include the deaths of 10 people when Revolutionary Guards fired on anti-regime demonstrators and shot at apartment windows in Tehran on 25 March.Estimates of civilian casualties vary, with over 1,900 people killed and at least 20,000 injured in Iran since the start of US and Israeli attacks, according to the International Federation of Red Cross and Red Crescent Societies (IFRC). The US-based Human Rights Activists news agency (HRANA) said 3,300 people had been killed since the war began, including 1,464 civilians and at least 217 children.

The Dual Threat: Coruna and DarkSwordSecurity researchers have identified two distinct but equally dangerous hacking toolkits, Coruna and DarkSword, that have leaked onto the open web. These advanced exploit kits, capable of breaking into iPhones and iPads, were originally developed for high-level government surveillance but are now available for anyone to download.Coruna: Targets iOS 13 through 17.2.1. Linked to Trenchant, a unit within U.S. defense contractor L3Harris, and previously used in Operation Triangulation against Russian targets.DarkSword: Targets iOS 18.4 and 18.7. Leaked on GitHub, making it "plug-and-play" for cybercriminals.The Scale of VulnerabilityThe scale of this exposure is staggering. According to Apple's statistics, nearly one-in-three iPhone and iPad users are still not running the latest software. With over 2.5 billion active devices globally, this implies hundreds of millions of users are susceptible to these attacks.DarkSword is particularly concerning because it targets newer devices running iOS 18.4 and 18.7. Researchers have already tested the leaked code, successfully hacking their own devices to demonstrate the ease of use.From State-Sponsored Espionage to Public ExploitationThis leak marks a dangerous shift in the cybersecurity landscape. Historically, sophisticated tools like Coruna were the domain of state-sponsored actors targeting specific regions, such as the Uyghurs in China or activists in Hong Kong.However, the release of DarkSword represents a move toward indiscriminate cybercrime. The tool is written in web languages like HTML and JavaScript, allowing attackers to launch attacks simply by hosting a malicious website. Victims in China, Malaysia, Turkey, Saudi Arabia, and Ukraine have already been targeted.The Future of Zero-Day WeaponizationThe leak of these tools mirrors the infamous 2017 WannaCry ransomware attack, which was fueled by leaked NSA exploits. Once powerful zero-day vulnerabilities are released into the wild, they are nearly impossible to fully contain.Experts recommend immediate action: users must update to iOS 18.7.6 or iOS 26.3.1. For high-risk individuals, enabling Lockdown Mode remains the most effective defense, as there is currently no public evidence of hackers bypassing its protections.

Rapid‑Action Spyware: The Darksword Campaign UnveiledResearchers at Google, iVerify and Lookout traced a fresh wave of iPhone attacks against Ukrainian users to a toolkit they named Darksword. The tool, linked to the threat actor UNC6353, infiltrates devices via compromised Ukrainian websites, siphons passwords, photos, messaging app data and wallet credentials, then vanishes within minutes.Technical Footprint and Quick‑Turnover MetricsInfection vector: malicious scripts on Ukrainian‑hosted sites, active only for visitors inside Ukraine.Data exfiltration window: minutes of dwell time, depending on volume of harvested information.Capabilities: extraction of WhatsApp, Telegram, SMS, browser history, and cryptocurrency wallet keys.Design: modular architecture allowing rapid addition of new functions, mirroring the earlier Coruna toolkit.Geopolitical and Security ImplicationsThe Darksword operation underscores a growing trend of state‑aligned actors deploying highly specialized mobile spyware for short‑term, high‑value “smash‑and‑grab” missions. While the campaign was geographically limited to Ukraine, its sophistication suggests that similar tools could be repurposed for broader espionage or financial theft, raising concerns for iPhone users worldwide and prompting a reassessment of mobile threat models.Future Outlook: Modular Spyware on the RiseAnalysts predict that the success of Darksword will encourage further development of modular iPhone exploits that prioritize rapid data theft over persistent surveillance. Defensive measures will likely focus on hardening web‑delivery chains, improving app‑store vetting, and enhancing on‑device anomaly detection to counter fleeting, high‑impact attacks.