One Click Away from Getting Hacked: 5 Critical iOS Security Warnings from the Russian & Chinese Hacking Tool 'Coruna'

Your iPhone may be at risk right now. A hacking tool is actively being used by Russian and Chinese hacker groups that can exfiltrate all personal data simply by visiting a malicious website — no extra click or file download required.

TL;DR

• Coruna: Originally developed as a spyware tool for government agencies, now in active use by Russian and Chinese hacking groups after being leaked
• Affected range: iPhones running iOS 13 through iOS 17.2.1 (devices from 2019 through late 2023)
• Attack method: Watering Hole — infection occurs just by visiting a compromised website; no user interaction required
• Officially confirmed by Google TAG: 23 vulnerabilities and 5 staged exploit chains identified
• Key action: Update to the latest version of iOS immediately

What Happened

On March 5, 2026, Google's Threat Analysis Group (TAG) officially announced that a powerful hacking tool called 'Coruna' is being widely distributed in the wild. Tech outlet TechCrunch broke the story first, followed quickly by major Korean outlets including ETNews, Yonhap News, Newspim, eToday, and Chosun Ilbo.

Coruna was originally a tool developed by a government agency for spyware purposes. Its leak path has not yet been confirmed, but it is currently being exploited in two distinct ways:

1. Russian spy organization: Confirmed use in large-scale cyber operations targeting Ukrainian users
2. China-based hacker group: Confirmed use in financially motivated attacks

Google TAG identified a total of 23 vulnerability exploits and 5 staged attack chains within Coruna. Affected iOS versions range from iOS 13 to iOS 17.2.1.

Why It's Especially Dangerous — The Watering Hole Threat

The key reason Coruna stands apart from typical hacking threats is its watering hole attack method.

"A device becomes infected simply by visiting a malicious website crafted by the attacker. No additional clicks or file downloads are required whatsoever."

Traditional phishing attacks could be partially mitigated by the advice "don't click suspicious links." But with a watering hole attack, the act of visiting a site is itself the attack vector. Even a site you normally trust can be dangerous if it has been compromised by an attacker.

Security researchers have noted that some components of Coruna are technically similar to those used in 'Operation Triangulation' — a large-scale iPhone surveillance operation carried out between 2019 and 2023 by a group linked to Russia's FSB, which was publicly disclosed by NSA-affiliated Kaspersky researchers at the time.

Context and Background — The 'Democratization' of State Hacking Tools

Coruna's emergence is the latest chapter in a dangerous trend that has been building for years: state-level cyber weapons spreading to civilian and criminal hacker groups.

• NSO Group Pegasus: Developed in Israel, purchased by governments worldwide and abused to surveil journalists and human rights activists
• HackingTeam Leak (2015): An Italian firm's attack tools were leaked and spread throughout global cybercrime
• Coruna (2026): The source of the leak is unconfirmed, but the pattern is identical

Particularly notable is the timing. On that very same day — March 5 — the National Intelligence Service (NIS) and cybersecurity agencies from seven countries including the U.S. NSA and Australia's ASD jointly released an 'AI Supply Chain Security Advisory,' calling for security to be built into AI systems from the design stage. The Coruna incident is a reminder that beyond iOS security alone, the vulnerabilities of our entire digital infrastructure remain a pressing concern.

Outlook — Apple's Response and the Persistence of the Threat

Apple has already patched many of the relevant vulnerabilities in versions after iOS 17.2.1, which is the upper boundary of Coruna's impact. However, the threat cannot be considered fully eliminated:

• Users of older devices: iPhones older than iPhone X that cannot be updated to a current iOS version remain persistently exposed
• Users who delay updates: Statistically, 15–20% of iOS users do not install the latest version immediately upon release
• Potential for variants: Now that the attack chain structure has been made public, new variants built on it may emerge

Security experts characterize this incident as yet another example of the "democratization of state-grade hacking tools" — meaning the level of offensive capability once exclusively available to governments is now potentially within reach of financially motivated criminal organizations.

✅ 5-Item Checklist: What to Do Right Now

Reference Links

• ETNews — Hacking tool 'Coruna' targeting iPhones confirmed… iOS security concerns raised
• Yonhap News — iPhone security on high alert over Russian hacking group's tool 'Coruna'
• Newspim — Hacking tool 'Coruna' discovered… iPhone security tensions rise
• eToday — Government-grade hacking tool 'Coruna' leaked… iPhone hacking fears mount
• NIS Official — Joint statement on AI supply chain risks and mitigation measures

Image source: None (no copyright-cleared related image available)