Google says spyware makers and China-linked groups dominated zero-day attacks last year

Zero-day exploitation against enterprise technology surged to an unprecedented level in 2025, according to findings from Google’s Threat Analysis Group (GTIG). GTIG tracked 90 zero-day vulnerabilities exploited in the wild throughout the year, with a significant 43 directly targeting enterprise-grade products and systems¹. This marks an all-time high for such attacks, signifying a critical escalation in threats to organizational infrastructure. Analysis revealed that China-linked cyber-espionage groups were the most prolific state-backed actors leveraging these zero-days, consistently exploiting weaknesses to gain access and maintain persistence. Alongside nation-state adversaries, commercial spyware vendors also contributed substantially to the volume of exploited vulnerabilities, deploying sophisticated tools against high-value targets. The pervasive and advanced use of these previously unknown flaws by both state-sponsored groups and private entities demands immediate attention. Practitioners should therefore assess their current defensive capabilities and prioritize patching strategies to counter the accelerated weaponization of zero-day exploits.