Full Report
Of the 90 zero-days GTIG tracked in 2025, 43 hit enterprise tech Zero-day exploitation targeting enterprise tech products reached an all-time high last year, with China-linked cyber-espionage groups remaining the most prolific state-backed users, according to Google.…
Analysis Summary
# Threat Actor: PRC-Nexus Espionage Groups (China-linked)
## Attribution & Identity
- **Actor Identification:** State-sponsored cyber-espionage groups linked to the People's Republic of China (PRC).
- **Associated Groups:**
- Mention of the **"Brickstorm"** campaign (associated with intellectual property theft).
- Identified by Google Threat Intelligence Group (GTIG) as "PRC-nexus espionage groups."
- **Note on Landscape:** While Commercial Surveillance Vendors (CSVs) attributed to more total zero-days across all categories, China-linked groups remain the most prolific state-backed users specifically targeting enterprise technology.
## Activity Summary
- **2025 Campaign Activity:** China-linked groups were responsible for the highest number of attributed enterprise tech zero-day exploits (7 confirmed, 3 likely, totaling 10).
- **Brickstorm Campaign:** A specific campaign mentioned for its focus on technology companies to facilitate intellectual property (IP) theft.
- **Trend:** These groups are shifting focus toward high-value "big orgs" by compromising previously undisclosed vulnerabilities in infrastructure.
## Tactics, Techniques & Procedures
- **Zero-Day Exploitation:** Highly prolific in identifying and utilizing "under the radar" vulnerabilities before patches are available.
- **Edge Device Exploitation:** Specifically focuses on edge infrastructure to bypass traditional security perimeters.
- **Stealth Preservation:** Targeting devices that lack endpoint detection and response (EDR) or antivirus capabilities to maintain long-term persistence.
- **Exploit Development:** Engages in the theft of IP from tech companies specifically to further their own zero-day exploit development capabilities.
- **MITRE ATT&CK IDs (Inferred from context):**
- T1190 – Exploit Public-Facing Application
- T1203 – Exploitation for Client Execution
- T1588.006 – Obtain Capabilities: Vulnerabilities (Zero-day)
## Targeting
- **Sectors:**
- Enterprise Technology
- Security and Networking (Hardest hit sector)
- Technology Companies (for IP theft)
- Government/State-run organizations (Espionage)
- **Geography:** Global (though specific countries were not listed, "state-sponsored espionage" implies international intelligence collection).
- **Victims:**
- Microsoft, Google, and Apple products were the most exploited platforms.
- Specific emphasis on organizations using edge devices (routers, switches, gateways).
## Tools & Infrastructure
- **Vulnerability Targets:**
- Enterprise software and appliances.
- Edge devices (Routers, Switches, Gateways).
- Security and networking devices (comprised nearly 50% of the enterprise-related zero-days).
- **Malware/Infrastructure:** Specific malware families were not named in this report, but the focus remains on exploits targeting "Chocolate Factory" (Google), Microsoft, and Apple ecosystems.
## Implications
- **Detection Blind Spots:** The focus on edge devices creates a significant visibility gap for defenders, as these platforms rarely support traditional security telemetry.
- **Supply Chain Risk:** By targeting tech companies and stealing IP for exploit development, these actors are creating a self-sustaining cycle of high-tier cyber capabilities.
- **Strategic Espionage:** The shift from end-user products to enterprise "big orgs" indicates a pursuit of higher-value intelligence and deep network persistence.
## Mitigations
- **Edge Device Hardening:** Prioritize the patching and auditing of routers, gateways, and switches, even if they do not support EDR.
- **Network Segmentation:** Isolate edge devices from the core internal network to prevent lateral movement after an inevitable edge compromise.
- **Vulnerability Management:** Implement a rigorous "zero-day response" plan, specifically for enterprise networking appliances.
- **Enhanced Monitoring:** Utilize network-level traffic analysis (NTA) to detect anomalies on devices where endpoint agents cannot be installed.