Google Threat Intelligence Group (GTIG) said on the 6th that half of last year's zero-day attacks targeted corporations.
GTIG on this day published a report analyzing structural and technical shifts seen in the zero-day attack landscape. A zero-day attack is a technique that exploits a software vulnerability for which there is no patch (a security update that fixes the vulnerability). It is called zero day because the vulnerability has been public for 0 days, meaning developers have 0 days to respond.
According to the report, 48%—nearly half—of the 90 zero-day vulnerability attacks that occurred last year was found to have targeted enterprise (corporations) technology. Attackers focused on security and networking tools lacking endpoint detection and response (EDR) capabilities, especially edge devices (devices that process data directly). The rise in enterprise attacks began in 2024, and last year both the number and the share of such vulnerabilities hit a record high.
Shifts were also detected in who is behind the attacks. In the past, state-backed hacker groups led zero-day attacks, but last year, for the first time since GTIG began related research, zero-day attacks led by commercial surveillance software vendors (CSV) outnumbered those by state-backed hacker groups. The report said, "This suggests that access to zero-day attack capabilities is expanding to a broader set of actors."
Among state-backed hacker groups, activity by China-linked cyberespionage groups was the most active. In contrast, zero-day attacks led by North Korean hacker groups were not detected.
It also assessed that some spy groups are emerging as a long-term threat by stealing corporations' intellectual property (IP), such as source code and proprietary development documents, and then developing new zero-day weapons targeting the victim corporations' software or customers. It said attackers are analyzing the stolen source code to find additional zero-day vulnerabilities in the software and are creating a vicious cycle by reusing them in further attacks.
GTIG predicted that AI will accelerate the competition between attackers and defenders this year. The report said, "AI will speed up reconnaissance, vulnerability discovery, and exploit development, which will put greater pressure on defenders to detect and respond to zero-day attacks," adding, "Defenders, in turn, are expected to deploy AI agents to proactively find security flaws and strengthen patching, focusing on neutralizing vulnerabilities before they are exploited."