Every few months we see new reports about spyware campaigns that use zero-day exploits to target the devices of journalists, political dissidents, or other at-risk individuals. These investigations show the continued success of the commercial surveillance vendors (CSV), however, a new Google report released this week gave a sneak peek into how the CSV market and its usage of zero-day exploits fits into the broader threat landscape: In 2025, more zero days were attributed to CSVs than to traditional state-sponsored espionage groups.

Out of 42 unique zero days tracked by Google in 2025, 18 were attributed to CSVs, while 15 were linked to state-sponsored espionage groups. Google researchers said that this was the first time they had attributed more exploitation to CSVs than to state-sponsored espionage groups. 

Historically, state-sponsored groups have been dominant when it comes to attributed zero-day exploitation. However, over the past decade, the commercial surveillance market has continued to flourish, with vendors in this space operating in many cases unimpeded (despite sanctions and public reporting). These vendors, which include the likes of NSO Group (maker of the Pegasus spyware) and Intellexa (which is behind the Predator spyware), are typically private companies that create and sell spyware, which is spread through zero-day exploits, to customers (which include government agencies or intelligence services).

Google’s findings in its annual zero day exploitation report, released Thursday, show that valuable zero-day exploits– as well as other components of attacks– have become more readily available through CSVs to a wider swath of customers.

“These vendors often offer turn-key solutions for the entire attack lifecycle–not just the technical expertise to build exploit chains, but also the subsequent tools necessary to identify and exfiltrate data from the targeted victim,” James Sadowski, CTI Analyst with Google’s Threat Intelligence Group, told Decipher. “These capabilities historically required immense investment in time, money, and skill to develop internally, but are increasingly accessible via CSVs.”

Part of the success of modern day CSV groups is their ability to change their techniques, bypass security boundary implementations, and rapidly develop new exploits. For instance, Intellexa has showcased an ability to quickly develop new zero-day exploits (using techniques like remote code execution, sandbox escape, and local privilege escalation) despite efforts by platform vendors to find and patch these flaws. Additionally, previous Google research has found that Intellexa increasingly used malicious ads on third-party platforms for exploit delivery, versus its primary delivery vector of one-time links sent via encrypted messaging apps. This shows that the CSV is quickly able to adapt and change up its TTPs to stay ahead of the curve. 

“Despite an increased focus on operational security from these actors that likely hinders discovery, this continues to reflect a trend we began to observe over the last several years – a growing proportion of zero-day exploitation is conducted by CSVs and/or their customers, demonstrating a slow but sure movement in the landscape,” according to Google researchers in the report. 

It’s important to note that state-sponsored espionage actors are still significant developers and users of zero-day exploits (led primarily by PRC-nexus groups, but also including Russia and UAE), researchers said. However, there are several marked changes between how state-sponsored groups and CSVs use and distribute zero days. For example, state-sponsored groups particularly prioritized edge devices and security appliances (as opposed to mobile/browsers targeted by CSVs) as their primary zero-day attack target. 

Looking ahead, researchers said that CSVs will continue to adapt their techniques even as vendors try to implement further security protections. 

For enterprises, exploitation “will be further enabled by the breadth of applications used across infrastructure,” said researchers. “Increased numbers of software, devices, and applications expand attack surfaces, with successful exploitation requiring only a single point of failure to achieve a breach.” 

Want to learn more about the commercial surveillance market? Several security researchers in our industry have published in-depth, helpful guides about how the space has changed and what it means for exploitation levels. 

Check out these helpful analyses and research reports below:

Predators for Hire: A Global Overview of Commercial Surveillance Vendors: https://blog.sekoia.io/predators-for-hire-a-global-overview-of-commercial-surveillance-vendors/

Mythical Beasts: Diving into the depths of the global spyware market: https://www.atlanticcouncil.org/in-depth-research-reports/issue-brief/mythical-beasts-diving-into-the-depths-of-the-global-spyware-market/

To Catch a Predator: Leak exposes the internal operations of Intellexa’s mercenary spyware

  • Recent Posts

  • Recent Comments

    No comments to show.