| Computer Weekly
computerweekly.com
By
Alex Scroxton, Security Editor
Published: 05 Mar 2026 15:00

Exploitation of zero-days by commercial surveillance and spyware developers outpaced exploitation by nation-state actors last year, according to a report.

Suppliers of commercial spyware have edged ahead of nation-state threat actors when it comes to the exploitation of zero-day vulnerabilities at scale, according to data released by the Google Threat Intelligence Group (GTIG).

In a report titled Look what you made us patch: 2025 zero-days in review, the GTIG team said that of 42 unique zero-days it tracked in 2025, it was able to firmly attribute first exploitation of 15 to commercial surveillance vendors (CSVs), compared with 12 that were first exploited by nation-states – seven by China, and nine by financially motivated cyber criminals.

The data additionally highlight three zero-days that were “likely” exploited by China, and one possibly at the intersection of cyber crime and nation-state activity.

The GTIG team, comprising researchers Casey Charrier, James Sadowski, Zander Work, Clement Lecigne, Benoît Stevens and Fred Plan, wrote that despite CSVs increasingly focusing on operational security to obscure their unethical activity, the growth in their activity reflected a trend dating back several years.

“Historically, traditional state-sponsored cyber espionage groups have been the most prolific attributed users of zero-day vulnerabilities,” they said. “[But] over the last few years, the increase of zero-day exploitation attributed to CSVs and their customers has demonstrated the growing ability of these vendors to provide zero-day access to a wider range of threat actors than ever before.

“GTIG has reported extensively on the capabilities CSVs provide their clients, as well as how many CSV customers use zero-day exploits in attacks which erode civil liberties and human rights,” they added.

“In late 2025, we reported on how Intellexa, a prolific procurer and user of zero-days, adapted its operations and tool suite and continues to deliver extremely capable spyware to high paying customers.”

China-nexus threat actors
Beyond CSVs, China-nexus threat actors were the most prolific exploiters of new zero-days, predominantly focusing on edge and networking devices that are hard to monitor, as they seek to gain long-term footholds in their targets’ operations.

GTIG said it was clear that China-nexus espionage actors have become increasingly adept at developing and sharing exploits among themselves, demonstrating their government is prepared to shower them with plentiful technical, and presumably financial, resources – compared with the other “Big Four” states of Iran, North Korea and Russia.

Russian cyber criminals, on the other hand, continue to make a killing and remain able to similarly invest in technical expertise, as evidenced last year by Cl0p’s extortion campaign targeting flaws in Oracle E-Business Suite, and the exploitation of a flaw in the WinRAR file archiver by a group with possible links to the long-standing and ever-present Evil Corp crew.

Overall zero-day volumes remain on par
All this said, more widely, GTIG observed a total of 90 zero-days under active exploitation during 2025, lower than 2023’s record high of 100, but generally in the 60 to 100 range that has become established since the Covid-19 pandemic.

Of these 90 flaws, the raw number and proportion – 43% and 48%, respectively – of these targeted enterprise technology, with zero-days increasingly affecting security and network edge devices, favoured by both cyber criminals and nation-states alike.

CSVs, on the other hand, tended to prefer mobile and browser exploits, the overall volume of which is ebbing and flowing – well up on 2024, but about on par with 2023 – likely thanks to more focused actions from the likes of Google on Android and Apple on iOS, which have forced such threat actors to expand or adjust their techniques, leading to the peaks and troughs.

Broken out by supplier, GTIG found that the clear majority of zero-days understandably target Microsoft, which accounted for 25 in total. This was followed by Google, with 11; Apple, with eight; Cisco and Fortinet, tied on four; and Ivanti and VMware, with three. Six more suppliers had two zero-days each, and the remaining 20 were split across 20 suppliers.

Looking ahead into 2026, GTIG said that as supply-side actors continue their work to make zero-day exploitation tougher for the bad guys – particularly in the mobile space – adversaries will unfortunately continue to hone their skills as well, foreshadowing more expansive techniques and a growing diversity of targets.

The team said that enterprise exploitation in particular will widen thanks to the sheer breadth of applications and devices now in use, with only a single-point-of-failure needed for threat actors to engineer a breach.

The AI factor
The team also expects artificial intelligence (AI) to accelerate the race between attackers and defenders, with AI increasingly used to automate and scale attacks by accelerating recon activity and, critically, exploit discovery and development.

This will put more pressure on defenders to detect and respond to zero-days, but at the same time, they will of course be able to take advantage of AI tools – like agents – in their own work.

GTIG also indicated an emerging paradigm for zero-day exploitation in 2026, heralded by the Brickstorm malware campaign, in which data theft “has the potential to enable long-term zero-day development”.

Rather than merely stealing sensitive client data, Brickstorm’s actors – known as Warp Panda – used it to target their intellectual property, such as source code and development documents, something they could use to work angles on new zero-days in their victims’ software.

computerweekly.com - The Austrian government is likely to face legal challenges after it succeeded on its fifth attempt to pass a law this month giving the country’s intelligence service legal powers to deploy spyware on phones and computers. Civil society groups are holding discussions with MPs on far-right Freedom Party (FPO) and the Greens, both of which voted against the new surveillance measures, regarding a legal challenge to Austria’s constitutional court.

Austria’s lower house passed the law on 9 July 2025, giving the Austrian intelligence service – the Directorate of State Protection and Intelligence (DSN) – the capability to deploy spyware, known as “a state trojan”, to monitor encrypted communications on services such as WhatsApp and Signal.

The three coalition governing parties, ÖVP, SPÖ and NEOS, agreed to changes to the State Protection and Intelligence Service Act (SNG), the Telecommunications Act 2021, the Security Police Act (SPG) and other laws to allow the state to spy on encrypted messages and gather other data stored on electronic devices.

The coalition government, headed by chancellor Christian Stocker, argued that Austria should have a legal framework to enable it to monitor encrypted messaging services in line with countries such as the UK and the US.

Austrian politicians pressed the case after a tip-off from the US Central Intelligence Agency (CIA) warning of an impending attack at a Taylor Swift concert, part of the Eras Tour, in August 2024 led to the cancellation of three concerts in the country. US intelligence reportedly identified that one of the suspects pledged to ISIS-K on the Telegram messaging app.

Former chancellor Karl Nehammer also cited Austria’s biggest spying scandal, the Egisto Ott affair, as a reason for the DSN to be given more tools to act against foreign intelligence services, including the ability to intercept encrypted messaging services.

The new law has been criticised by civil society groups and some technology companies, which argue that the introduction of a “state trojan” will undermine internet security for Austrian citizens.

In July, 50 civil society groups from 16 countries wrote an open letter to MPs and the Austrian National Council, warning that the move to increase state surveillance would be a historic step backwards for IT security.

The civil society groups said the draft law was based on a “legal fiction” that would mean that, rather than protecting the population from cyber security risks, the state would instead promote and maintain security vulnerabilities, which will inevitably be discovered and exploited by hackers and hostile nation-states.

They point to the WannaCry ransomware attacks, which exploited a security vulnerability developed by the US National Security Agency (NSA) to infiltrate computer systems, causing severe disruption of hospitals, trains and mobile phone networks in 2017.

Thomas Lohninger, executive director of digital rights organisation Epicenter.Works, told Computer Weekly, that his organisation will “try everything” to challenge the new law in Austria’s constitutional court. This includes bringing a constitutional challenge from the opposition Green Party and far right FPÖ MPs before the law is enacted – a move that requires support from a third of MPs.