Google: Spyware vendors, China-linked spies led 0-day abuse • The Register

Google's annual zero-day tracking report reveals a troubling escalation in cyber espionage and commercial surveillance, with enterprise technology products bearing the brunt of exploitation attempts in 2025. The search giant's Threat Intelligence Group documented 90 zero-day vulnerabilities actively exploited last year, marking a continued upward trend from 78 in 2024 but still below the 2023 peak of 100.

Enterprise technology dominated the exploitation landscape, accounting for 43 of the tracked zero-days - representing 48 percent of all attacks against previously undisclosed bugs. This marks a significant increase from 2024's 36 enterprise-targeted exploits. The shift toward enterprise exploitation represents a strategic pivot by attackers since 2023, moving away from consumer-focused attacks toward targeting large organizations with deeper pockets and more valuable data.

Security and networking devices emerged as the primary targets, comprising nearly half (21) of enterprise-related zero-days. Edge devices including routers, switches, and gateways faced particular scrutiny, with 14 documented exploits affecting these systems. Google acknowledged this figure likely underrepresents the true scale due to detection limitations, as many edge devices lack endpoint security tools that would otherwise flag malicious activity.

The attribution picture reveals a complex ecosystem of exploitation. Google successfully attributed 42 of the 90 zero-days to specific actor types: 15 to commercial surveillance vendors (CSVs) plus three to likely CSVs, 12 to state-sponsored espionage groups (with seven from China), three to likely government spies (also China), nine to financially motivated cybercriminals, and one to dual-role actors.

China-linked cyber-espionage groups maintained their position as the most prolific state-backed users of zero-days. These groups focused heavily on edge device exploitation and broader security and networking infrastructure, reflecting strategic priorities in intelligence collection operations. The targeting of technology companies in campaigns like Brickstorm demonstrated the potential for intellectual property theft to accelerate zero-day development capabilities.

Commercial surveillance vendors reached a milestone in 2025, with Google attributing more zero-days to CSVs than to traditional government-backed cyber spies for the first time since tracking began. These private companies - including NSO Group, Intellexa, and Candiru - develop and sell spyware and exploits ostensibly to government agencies and law enforcement for legitimate intelligence gathering and crime-fighting purposes.

However, the reality proves more troubling. Spyware from these vendors has been discovered on devices belonging to journalists, protesters, and political opposition leaders, raising serious human rights concerns. Google's security engineers declined to name the most prolific CSVs in 2025, citing ongoing investigations, though they noted that previous reports have discussed many active vendors.

Microsoft products faced the highest number of exploited zero-days in 2025, followed by Google (11) and Apple (8). This concentration reflects both market share realities and the valuable data accessible through these platforms.

The enterprise technology sector shows no signs of relief from zero-day exploitation. With attackers increasingly targeting security and networking infrastructure, organizations face mounting pressure to patch vulnerabilities quickly and implement robust detection capabilities, particularly for edge devices that traditionally lack comprehensive security monitoring.

This escalation in zero-day exploitation underscores the growing sophistication of both state-sponsored and commercial cyber operations, as well as the expanding market for surveillance capabilities that can bypass traditional security measures. As attackers continue refining their techniques and expanding their targets, the cybersecurity community faces an increasingly complex threat landscape requiring constant vigilance and rapid response capabilities.