Spyware Makers Topped Google’s List of Zero-Day Exploits for the First Time in 2025
Google for several years has been among the loudest voices to warn of the dangers associated with the growing use of spyware around the world.
Two years ago, Google was among several top tech companies, including Microsoft and Trend Micro, to support the lawsuit a Salvadoran journalist filed against NSO Group, the vendor behind the notorious Pegasus spyware that was found on the Apple iPhones of almost two dozen of his organization’s news staff.
The same year, Google’s Threat Analysis Group (TAG) published a 33-page report about the growing spyware industry driven by a range of commercial surveillance vendors (CSVs), including NSO as well as Intellexa, Negg Group and Cy4Gate.
“The commercial surveillance industry has emerged to fill a lucrative market niche: selling cutting edge technology to governments around the world that exploit vulnerabilities in consumer devices and applications to surreptitiously install spyware on individuals’ devices,” the report’s authors wrote, noting the abuse of spyware in various countries to track human rights workers, journalists, politicians, and others. “By doing so, commercial surveillance vendors (CSVs) are enabling the proliferation of dangerous hacking tools.”
In the 2024 edition of its annual report on zero-day vulnerabilities, TAG and Mandiant researchers wrote about the growing link between CSVs and the governments that use them, noting that they accounted for half of the exploits linked to governments.
Spyware Makers Pull Ahead
Looking at the latest edition of the report released this week, the situation is getting worse. For the first time, the Google researchers attributed more zero-day exploitations to CSVs than to state-sponsored espionage groups.
In all, Google Threat Intelligence Group (GTIG) tracked 90 zero-day vulnerabilities exploited in the wild last year, down from the high of 100 in 2023 but more than the 78 in 2024. According to the report released this week, Google researchers attributed 34.9% of zero-day exploitations – 15 in all – to CSVs and their customers, followed by 27.9% (12) by state-sponsored threat groups in places like China and Russia.
“This continues to reflect a trend we began to observe over the last several years – a growing proportion of zero-day exploitation is conducted by CSVs and/or their customers, demonstrating a slow but sure movement in the landscape,” they wrote.
The Problem Grows
This despite the work of Google and others to push back against spyware vendors and the Biden Administration’s aggressive stance toward the companies and their products.
“Historically, traditional state-sponsored cyber espionage groups have been the most prolific attributed users of zero-day vulnerabilities,” they wrote. “Over the last few years, the increase of zero-day exploitation attributed to CSVs and their customers has demonstrated the growing ability of these vendors to provide zero-day access to a wider range of threat actors than ever before.”
Incidents of spyware use continue to pile up. Most recently, prosecutors in Italy said this week that they’ve confirmed that two immigration activists and a journalist were hacked in late 2024 as part of the same spyware campaign. In late February, a Greek court in Athens found three executives of Intellexa – the Greek company that makes the Predator spyware – and a prominent businessman guilty of using spyware to unlawfully access information systems, violate communication privacy, and interfering with personal data systems.
Don’t Count Out the Nation-State Actors
Even though spyware overtook nation-state actors in exploiting zero-day threats, those groups aligned with countries like China and Russia were active in 2025 in developing and using zero days in their operations, according to Google. That was especially true of China-nexus groups, which were responsible for at least 10 of the zero-day exploitations.
“PRC [People’s Republic of China]-nexus espionage zero-day exploitation continued to focus on edge and networking devices that are difficult to monitor, allowing them to maintain long-term footholds in strategic networks,” the Google researchers wrote.
They noted that, historically, zero-day exploits were the purview of the most capable of threat groups. However, that’s changed.
“Observed mass exploitation of vulnerabilities suggests that PRC-nexus espionage operators are increasingly adept at developing, sharing, and distributing exploits among themselves,” they wrote. “Over time … we have observed that an increasing number of activity clusters are exploiting vulnerabilities closer to public disclosure, indicating that PRC-nexus espionage operators have potentially reduced the time to both develop exploits and distribute them among otherwise separate groups.”
Another change was the trend away from North Korean-sponsored hackers. In 2024, five zero-day exploits were attributed to groups within the highly secretive country. This year, there were none.
