Suppliers of commercial spyware have edged ahead of nation-state threat actors when it comes to the exploitation of zero-day vulnerabilities at scale, according to data released by the Google Threat Intelligence Group (GTIG).
In a report titled Look what you made us patch: 2025 zero-days in review, the GTIG team said that of 42 unique zero-days it tracked in 2025, it was able to firmly attribute first exploitation of 15 to commercial surveillance vendors (CSVs), compared with 12 that were first exploited by nation-states – seven by China, and nine by financially motivated cyber criminals.
The data additionally highlight three zero-days that were “likely” exploited by China, and one possibly at the intersection of cyber crime and nation-state activity.
The GTIG team, comprising researchers Casey Charrier, James Sadowski, Zander Work, Clement Lecigne, Benoît Stevens and Fred Plan, wrote that despite CSVs increasingly focusing on operational security to obscure their unethical activity, the growth in their activity reflected a trend dating back several years.
“Historically, traditional state-sponsored cyber espionage groups have been the most prolific attributed users of zero-day vulnerabilities,” they said. “[But] over the last few years, the increase of zero-day exploitation attributed to CSVs and their customers has demonstrated the growing ability of these vendors to provide zero-day access to a wider range of threat actors than ever before.
“GTIG has reported extensively on the capabilities CSVs provide their clients, as well as how many CSV customers use zero-day exploits in attacks which erode civil liberties and human rights,” they added.
“In late 2025, we reported on how Intellexa, a prolific procurer and user of zero-days, adapted its operations and tool suite and continues to deliver extremely capable spyware to high paying customers.”
China-nexus threat actors
Beyond CSVs, China-nexus threat actors were the most prolific exploiters of new zero-days, predominantly focusing on edge and networking devices that are hard to monitor, as they seek to gain long-term footholds in their targets’ operations.
GTIG said it was clear that China-nexus espionage actors have become increasingly adept at developing and sharing exploits among themselves, demonstrating their government is prepared to shower them with plentiful technical, and presumably financial, resources – compared with the other “Big Four” states of Iran, North Korea and Russia.
Russian cyber criminals, on the other hand, continue to make a killing and remain able to similarly invest in technical expertise, as evidenced last year by Cl0p’s extortion campaign targeting flaws in Oracle E-Business Suite, and the exploitation of a flaw in the WinRAR file archiver by a group with possible links to the long-standing and ever-present Evil Corp crew.
Overall zero-day volumes remain on par
All this said, more widely, GTIG observed a total of 90 zero-days under active exploitation during 2025, lower than 2023’s record high of 100, but generally in the 60 to 100 range that has become established since the Covid-19 pandemic.
Of these 90 flaws, the raw number and proportion – 43% and 48%, respectively – of these targeted enterprise technology, with zero-days increasingly affecting security and network edge devices, favoured by both cyber criminals and nation-states alike.
CSVs, on the other hand, tended to prefer mobile and browser exploits, the overall volume of which is ebbing and flowing – well up on 2024, but about on par with 2023 – likely thanks to more focused actions from the likes of Google on Android and Apple on iOS, which have forced such threat actors to expand or adjust their techniques, leading to the peaks and troughs.
Broken out by supplier, GTIG found that the clear majority of zero-days understandably target Microsoft, which accounted for 25 in total. This was followed by Google, with 11; Apple, with eight; Cisco and Fortinet, tied on four; and Ivanti and VMware, with three. Six more suppliers had two zero-days each, and the remaining 20 were split across 20 suppliers.
Looking ahead into 2026, GTIG said that as supply-side actors continue their work to make zero-day exploitation tougher for the bad guys – particularly in the mobile space – adversaries will unfortunately continue to hone their skills as well, foreshadowing more expansive techniques and a growing diversity of targets.
The team said that enterprise exploitation in particular will widen thanks to the sheer breadth of applications and devices now in use, with only a single-point-of-failure needed for threat actors to engineer a breach.
The AI factor
The team also expects artificial intelligence (AI) to accelerate the race between attackers and defenders, with AI increasingly used to automate and scale attacks by accelerating recon activity and, critically, exploit discovery and development.
This will put more pressure on defenders to detect and respond to zero-days, but at the same time, they will of course be able to take advantage of AI tools – like agents – in their own work.
GTIG also indicated an emerging paradigm for zero-day exploitation in 2026, heralded by the Brickstorm malware campaign, in which data theft “has the potential to enable long-term zero-day development”.
Rather than merely stealing sensitive client data, Brickstorm’s actors – known as Warp Panda – used it to target their intellectual property, such as source code and development documents, something they could use to work angles on new zero-days in their victims’ software.
