Google Threat Intelligence Group flags 2025 zero‑day surge, probes iOS exploit kit

Google Threat Intelligence Group’s 2025 zero‑day tally underscores a modest rebound after a dip in 2024. The team logged 90 exploits used in the wild, up from 78 the previous year and only ten short of the 2023 peak of 100, according to the “Look What You Made Us Patch” post on the Google Cloud Blog (Charrier et al., 2026). While the raw count remains within the six‑year “60‑100” band, the composition of the attacks has shifted dramatically. Enterprise‑focused vulnerabilities surged to 43 instances – 48 % of the total – marking the highest absolute and relative share of corporate‑targeted exploits ever recorded by GTIG. By contrast, browser‑based attacks fell to historic lows, and operating‑system flaws rose in prominence, reflecting a broader industry trend toward “enterprise exploitation” first noted in 2024 (Charrier et al., 2026).

State‑sponsored actors continue to prioritize edge devices and security appliances as entry points. GTIG attributes just over half of the zero‑day activity by espionage groups to these vectors, a pattern that aligns with the “edge‑device focus” highlighted in the same Google Cloud Blog analysis. Commercial surveillance vendors (CSVs) remain active in the mobile and browser arenas, adapting their exploit chains to bypass recent hardening measures. The report cites multiple intrusions linked to the BRICKSTORM malware family, which leveraged the new zero‑days to achieve a range of objectives, though the blog truncates the description of the specific targets (Charrier et al., 2026).

Parallel to the zero‑day surge, GTI G uncovered a sophisticated iOS exploit kit dubbed “Coruna.” Detailed in the “Coruna: The Mysterious Journey of a Powerful iOS Exploit Kit” article (Charrier et al., 2026), the kit bundles five full exploit chains and 23 individual vulnerabilities covering iOS 13.0 through iOS 17.2.1. Its core value lies in non‑public exploitation techniques and mitigation bypasses that allow attackers to compromise iPhone models released between September 2019 and December 2023. GTIG first observed Coruna in 2025 being used by a surveillance‑vendor customer in highly targeted operations, then traced its deployment to a watering‑hole campaign against Ukrainian users by UNC6353, a suspected Russian espionage group (Charrier et al., 2026).

The kit’s later migration to UNC6691, a financially motivated Chinese threat actor, illustrates a nascent “second‑hand” zero‑day market. GTIG notes that the pathway of Coruna’s proliferation remains opaque, but the pattern suggests that advanced exploit collections are being bought, sold, and repurposed across disparate threat actors (Charrier et al., 2026). In response, Google has added all identified malicious domains linked to Coruna to its Safe Browsing service, aiming to block further distribution and mitigate downstream infection vectors. The blog emphasizes that multiple actors have already extracted reusable exploitation techniques from Coruna, adapting them to newly discovered vulnerabilities—a warning that the kit’s impact could extend beyond the documented campaigns.

Overall, GTIG’s 2025 findings paint a picture of a threat landscape that is stabilizing in volume but evolving in sophistication and target focus. Enterprise systems now account for nearly half of all zero‑day exploitation, while state actors double down on edge‑device infiltration. At the same time, the emergence of a multi‑exploit iOS kit signals that high‑value mobile attack tools are entering a broader, more commercialized ecosystem. Google’s public disclosures and proactive Safe Browsing additions represent a rare instance of industry‑wide mitigation, but the continued rise in enterprise‑oriented zero‑days and the diffusion of advanced iOS exploits underscore the need for organizations to reassess patching cadences, endpoint detection capabilities, and threat‑intel integration.