In March, Google researchers issued a warning, detailing how adversaries are using the Coruna spyware to target iPhone users. Worryingly, the Coruna attacks weren’t only focused on typical spyware targets such as journalists, dissents and government officials. Google observed adversaries using a number of vulnerabilities in the iOS operating system in financially motivated campaigns aiming to steal cryptocurrency.

Spyware is usually delivered via zero-click attacks, which use software flaws to plant malware without interaction from a user. The malware was famously used against the wife of Saudi journalist Jamal Khashoggi before his murder in 2018, as well as former Amazon CEO Jeff Bezos.

As nation states ramp up attacks and Coruna widens spyware beyond traditional niche targets, how big is the risk to businesses?

Dangerous Threat

Zero-click attacks represent one of the most dangerous classes of cyber threat, “precisely because they remove human judgement from the equation,” says Spence Hutchinson threat intelligence researcher at eSentire’s Threat Research Unit. “In a traditional phishing attack, a user must click a link, open a document, or take some action that triggers the payload. Zero-click exploits eliminate that requirement entirely.”

The Coruna kit is “concerning”, given its sophistication, says Hutchinson. “It contains 23 exploits and requires zero interaction beyond loading the page.”

He describes how the exploits are organised into five attack chains that “allow the attacker to progress from initial browser compromise to full device control.”

Google's recent disclosure of the Coruna iOS exploit kit shows how the issue of spyware has moved from “specialist espionage” into “mainstream enterprise risk,” says Paulo Cardoso do Amaral author of Business Warfare, strategist and expert in competitive intelligence.

Google researchers tied Coruna to a suspected Russian espionage group, and later in broad campaigns run by a financially motivated adversary in China. That is “a strong signal that advanced exploitation is proliferating beyond its traditional niche,” says Cardoso do Amaral.

Business Impact

The business impact of zero-click attacks such as these is “severe” and “operates on multiple levels,” according to Hutchinson. The most immediate concern is that conventional enterprise security controls are “largely blind to this class of attack,” he says.

This is because zero-click compromises leave no user-behavioural signal. “No suspicious click, no anomalous logic,” says Oren Wortman, managing director and co-leader of Alvarez & Marsal's global cyber risk services.

Therefore, zero-click attacks aren’t picked up by most business detection frameworks, which are tuned to catch human mistakes or account misuse. “Zero-click attacks wouldn’t alert based on what we’ve historically as an industry been building detection rules to do,” Wortman explains. “That’s why organisations routinely discover these compromises weeks after the fact – if they discover them at all.”

Evolving Risk

The risk is also evolving in a way that should concern security leaders, experts say. Zero-click started as a nation-state capability: Expensive to develop, used sparingly and aimed at high-value individual targets.

That's no longer an accurate description of the threat landscape where the capability levels of criminally motivated groups and nation-states have “continued to blur,” says Wortman. “A maturing exploit market, a dramatically-expanded enterprise attack surface, and the rapid deployment of AI tooling have collectively brought zero-click techniques within the reach of criminally motivated threat groups,” he warns.

The Coruna case is concerning given “the proliferation of its capabilities,” says Hutchinson. “The kit circulated among multiple threat actors over the past year, moving from a commercial surveillance operation to state-linked espionage campaigns and, ultimately, into the hands of financially motivated hackers. How this proliferation occurred is unclear, but it suggests an active market for ‘second-hand’ zero-day exploits. Multiple threat actors have now acquired advanced exploitation techniques that can be re-used and modified with newly identified vulnerabilities.”

The AI trajectory is also a huge concern, according to Wortman. “We're in early days of zero-click techniques operating through AI agents rather than traditional operating system vulnerabilities, exploiting trust boundaries in how those agents retrieve and act on data. The industry doesn't have a mature defensive answer for that yet, and the attack surface is growing with every new AI integration enterprises deploy.”

Managing The Threat

While spyware is still largely targeted against dissidents, journalists and businesses operating in certain sectors, Coruna shows a threat now exists beyond this niche. With this in mind, it’s important that businesses take measures to protect themselves.

The basics of cyber hygiene “will help a lot,” says Rob Anderson, head of reactive consulting services at Reliance Cyber. This means rapid patching on endpoints, especially where high sophistication zero-click threat actors are “likely to want to get to know your business better,” he says.

Better monitoring and proper control over AI tools, ensuring you are clamping down on shadow AI, will help. Meanwhile, Anderson points out that high-risk people such as executives and admins are more likely to be targeted and “should get extra protection.”

Collin Hogue-Spears, senior director of solution management at Black Duck, recommends mandatory use of Apple’s anti-spyware feature Lockdown Mode on high-value devices, as well as agent-level behavioural monitoring and pre-ingestion input sanitisation for every AI pipeline.

He says Lockdown Mode is “the one control that the attacker's own code respects.”

In the case of Coruna, Google's researchers confirmed the kit actively checks for Lockdown Mode and private browsing before delivering a payload, and abandons the attack if either is detected. For security leaders, this transforms Lockdown Mode into “a verified, attacker-tested kill switch,” says Hogue-Spears.

At the same time, firms should embed mobile security into daily operations, rather than treating it as “an emergency add-on,” says Cardoso do Amaral. As part of this, he advises minimising risky apps and profiles, separating personal and business use where possible, tightening identity controls around mobile-based multi-factor authentication (MFA), and “building executive response playbooks for spyware-style incidents.”

Kate O'Flaherty Cybersecurity and privacy journalist