Government-backed hackers led majority of zero-day exploits in 2025,电报盗号系统全功能破解技术 according to Google

April 30, 2025  19:06

Google's Threat Intelligence Group reports that government-backed hackers were responsible for the majority of attributed zero-day exploits in 2025, with 75 vulnerabilities tracked in total, showing a decrease from 2025 but an overall upward trend since 2025 as attackers increasingly target enterprise security and networking products, writes Bleepingcomputer.

Government-Backed Hackers

Google's 2025 analysis revealed that of the 75 total zero-day vulnerabilities discovered, they could attribute responsibility for 34 of them to specific threat actors. Within this attributable subset, government-backed cyber espionage operations emerged as the leading category, accounting for 29% of these exploitations. This indicates that while many zero-days remain unattributed, state-sponsored activities represent a significant and identifiable portion of the advanced threat landscape.

The shift toward government actors leading zero-day exploitation reflects a strategic emphasis on high-value targets and sophisticated attack methods. These state-sponsored groups typically possess substantial resources and technical capabilities, allowing them to develop or acquire complex exploits for specific objectives. Their operations often target critical infrastructure, government agencies, and organizations possessing valuable intellectual property or strategic information, making them particularly dangerous threats in the cybersecurity landscape.

Enterprise Technology Targets

Enterprise security and networking products became prime targets in 2025, accounting for over 60% of all enterprise zero-day exploitation. The shift is strategic - compromising these devices provides attackers with broad access to organizational networks through a single exploit. Overall, 44% (33) of tracked zero-days targeted enterprise platforms, up from 37% in 2025, indicating a clear trend away from end-user technologies.

Security appliances from major vendors like Ivanti, Cisco, and Palo Alto Networks suffered high-profile zero-day exploits during this period. This pivot reflects both the evolving threat landscape and the impact of improved mitigations on traditional targets like browsers and mobile devices, which saw significant drops in exploitation (browsers down from 17 to 11, mobile devices from 17 to 9). Attackers are adapting their strategies, focusing on less-protected enterprise technologies that offer potentially greater rewards.

Commercial Surveillance Vendors

Commercial surveillance vendors (CSVs) played a significant role in the zero-day exploitation landscape of 2025, with eight zero-days attributed to companies like NSO Group and Cellebrite. These firms typically develop and sell sophisticated surveillance tools to government clients, creating a concerning gray market for digital intrusion capabilities. Despite facing increased scrutiny, CSVs have improved their operational security, making attribution of their activities more challenging for security researchers.

The continued prominence of these vendors highlights the persistent demand from law enforcement and government agencies for surveillance capabilities. Particularly notable were cases involving forensic vendors' tools used in physical attacks on mobile devices, such as Cellebrite's exploitation of Android vulnerabilities in targeted operations against activists. This trend raises important questions about the regulation of commercial spyware and the balance between legitimate security needs and potential human rights abuses.

Exploitation Trends

While the overall number of zero-day exploits decreased from 98 in 2025 to 75 in 2025, the long-term trend shows a gradual increase from 63 in 2025, indicating that zero-day exploitation remains a persistent threat. This fluctuation reflects the ongoing cat-and-mouse game between attackers and defenders, with threat actors continuously adapting their strategies in response to improved security measures.

Vendor mitigation efforts are beginning to show positive results, particularly for browsers and mobile devices, which saw significant drops in exploitation in 2025. Features like Apple's Lockdown Mode and Google's Memory Tagging Extension (MTE) have made exploitation more difficult, forcing attackers to shift their focus to less-protected technologies. Despite these improvements, cybercriminals continue to target vulnerable systems, with 11 attributed zero-days linked to activities such as ransomware operations that primarily focused on enterprise devices like VPNs and routers.