New attacks, zero-click vulnerabilities, and unpatched devices. Here is what is happening to Apple devices and the essential rules for defending against potential intrusions on phones and computers.
What we found: Coruna is not a reason for panic, but it is a wake-up call
For users, the discovery of Coruna should not trigger alarm, but rather serve as a clear reminder to stay aware and vigilant. These are highly targeted attacks, rarely indiscriminate, yet they confirm a fundamental principle: no device can be considered completely immune.
The Coruna exploit kit, identified by Google’s Threat Intelligence Group (GTIG) in February 2025, contains five full iOS exploit chains and a total of 23 exploits targeting iPhones running iOS 13.0 through 17.2.1. Since its initial discovery, the toolkit has moved from targeted surveillance operations to broader campaigns, including watering hole attacks against Ukrainian targets and large-scale cryptocurrency theft through fake financial websites.
Keep your operating system updated: the most effective defense
In this context, the most effective defense remains the simplest one: keeping your operating system up to date. Many exploits target outdated versions of iOS, and regularly installing security patches allows you to fix known vulnerabilities and significantly reduce your attack surface.
Apple has confirmed that devices running the latest versions of iOS 15 through iOS 26 are already protected. For newer iOS versions (16.6 onward), patches addressing Coruna-related vulnerabilities were shipped as early as 2023 and 2024. On March 11, 2026, Apple extended protection to older devices that cannot run the latest iOS.
Organizations managing large fleets of mobile devices should treat unpatched endpoints as a critical risk. A structured vulnerability assessment program helps identify which devices remain exposed and prioritize remediation before threats like Coruna can be exploited.
Exercise caution while browsing: links and compromised websites
It is equally important to be careful when navigating online. Suspicious links, especially those received via email or messages from unverified contacts, can serve as an attack vector. In some cases, vulnerabilities can be exploited simply by visiting compromised websites, without any direct interaction from the user. In cybersecurity terminology, these are known as “watering hole” attacks.
For organizations, this type of threat reinforces the need for continuous security monitoring capable of detecting anomalous network traffic and blocking connections to known malicious domains before they reach end-user devices.
Lockdown Mode: advanced protection for high-risk users
For users requiring an elevated level of security, such as journalists, political figures, or executives handling sensitive information, Apple provides an advanced isolation mode. It can be activated under Settings > Privacy & Security > Lockdown Mode.
This feature is designed for individuals who may be exposed to targeted threats, and it works by minimizing the device’s attack surface through a series of restrictions: it automatically blocks links and attachments in messages, prevents FaceTime calls from contacts the user has not interacted with in the past 30 days, restricts complex web technologies and certain fonts, disables automatic Wi-Fi connections, and removes geolocation data from photos.
Notably, both the Coruna and DarkSword exploit kits skip execution entirely on devices with Lockdown Mode enabled. This makes it one of the most effective countermeasures available for high-value targets.
Your smartphone is a digital vault: protect it accordingly
One final, essential awareness: the smartphone is today an archive of personal and professional information. Its protection is not merely a technical matter, but a daily practice of prudence and digital responsibility.
When an exploit kit like Coruna can silently compromise a device through a simple webpage visit, the boundary between personal security and organizational risk becomes invisible. A compromised executive phone can expose credentials, internal communications, and strategic data.
This is why a comprehensive security posture requires not only endpoint protection, but also a robust incident response capability that can detect, contain, and remediate compromises before they escalate into full-scale breaches.
