State-sponsored cyber espionage has reached a new level of sophistication, with a landmark report from the Google Threat Intelligence Group (GTIG) identifying China-linked actors as the dominant force in the global exploitation of zero-day vulnerabilities.

While Western security agencies have been preoccupied with Iranian-linked campaigns, the data reveals that Chinese cyber-espionage groups are the most prolific, persistent threat to enterprise and edge infrastructure.

The findings, detailed in Google’s *2025 Zero-Days in Review* report, expose a shift in the threat landscape. During 2025, GTIG tracked 90 vulnerabilities exploited in the wild. Among the state-sponsored groups responsible for these attacks, those affiliated with the People’s Republic of China (PRC) emerged as the clear leaders, doubling their utilization of zero-day exploits compared to 2024. This activity is not random; it is highly focused on maintaining long-term footholds in strategic networks.

The "Edge" is the Battlefield

The report underscores a dangerous trend: threat actors are abandoning traditional target patterns in favor of security appliances, VPNs, and networking devices. These "edge" devices are notoriously difficult to monitor and often lack the robust endpoint detection and response (EDR) software present on standard corporate workstations.

The strategy is clear:

• Persistence: By compromising edge devices, attackers maintain access even after standard password resets or system updates.
• Strategic Focus: Targeting enterprise software and virtualized platforms to gain deep, privileged network access.
• Volume and Capability: Chinese-nexus groups like UNC5221 and UNC3886 are utilizing advanced collaborative development, sharing exploits across multiple units to maximize impact.

The Rise of Commercial Surveillance

Interestingly, the report highlights a new player in the threat space: Commercial Surveillance Vendors (CSVs). For the first time, these vendors—who sell high-end spyware to governments and law enforcement agencies—are responsible for more zero-day exploits than traditional nation-state hackers. This development democratizes the ability to conduct high-level surveillance, allowing even smaller nation-states to execute attacks that were previously the exclusive domain of global superpowers.

For global organizations, the message is stark: the "periphery" of the network—the routers, the firewalls, the remote-access gateways—is now the primary front line. Relying solely on patching workstation software is no longer a viable security strategy.

As the report concludes, "cybersecurity is moving from reactive defense to continuous readiness." In 2026, the challenge will not just be patching known vulnerabilities, but anticipating the invisible, unknown exploits being developed in the quiet corridors of state-sponsored intelligence and private surveillance labs alike.