← Back to Security Blog
Research & Analysis 2026년 3월 7일 9분 읽기

Google 제로데이 보고서 2025: 90건 악용, 기업 타겟팅 급증

Google Threat Intelligence Group's annual zero-day analysis reveals 90 취약점 익스플로잇ed 실전에서 during 2025 — with nearly half targeting enterprise security products, networking appliances, and cloud infrastructure. Spyware vendors and China-linked APTs dominate attribution. Meanwhile, a 3.4-million-patient healthcare breach and new fileless 악성코드 campaigns demonstrate why continuous 취약점 scanning is no longer optional.


📊 Google 2025 제로데이 현황: 주요 수치

💡 Annual Zero-Day Tracking by GTIG

Google Threat Intelligence Group (GTIG) tracks zero-day 취약점 익스플로잇ed 실전에서 each year. The 2025 report marks one of the highest years on record, with 90 zero-days confirmed 익스플로잇ed — up from 73 in 2024 and approaching 2021's peak of 97.

The Enterprise Shift

The most significant finding: approximately 45 of the 90 zero-days (50%) directly targeted enterprise products rather than consumer endpoints. This represents a dramatic shift from previous years when browsers and mobile operating systems dominated the zero-day 익스플로잇ation landscape.

Category Zero-Days (2025) Percentage Trend vs 2024
Enterprise Security 제품s ~20 22% 🔺 Up significantly
Networking/VPN Appliances ~15 17% 🔺 Up
Cloud/SaaS Platforms ~10 11% 🔺 Up
Mobile OS (iOS/Android) ~18 20% 🔻 Down
Browsers ~12 13% 🔻 Down
Desktop OS ~15 17% ➡️ Stable

Attribution: Who's Exploiting Zero-Days?

Less than half of the 90 zero-days could be attributed to specific 위협 행위자s, but the leading groups paint a clear picture:

⚠️ Top Zero-Day Exploiters in 2025

1. Commercial spyware vendors — NSO Group, Intellexa, and newer entrants continue to dominate zero-day 익스플로잇ation, accounting for roughly 30% of attributed zero-days.
2. China-linked APT groups — Multiple Chinese state-backed groups (Salt Typhoon, Volt Typhoon, APT41) 익스플로잇ed enterprise-focused zero-days targeting networking equipment and cloud platforms.
3. Russia-linked groups — Focused primarily on Ukrainian and European targets using zero-days in Microsoft products.
4. 아니오rth Korea — Increasingly sophisticated, targeting cryptocurrency platforms and developer tools.

Why Enterprise 제품s Are 아니오w the Primary Target

Several factors explain the shift toward enterprise targeting:


🏥 TriZetto 의료 침해: 340만 환자 정보 노출

⚠️ Massive Healthcare 데이터 노출

TriZetto Provider Solutions (a Cognizant subsidiary) disclosed a data breach affecting 3,433,965 individuals. Attackers had unauthorized access for nearly a year — from 아니오vember 2024 to October 2025.

Breach Timeline

날짜 Event
아니오vember 19, 2024 Unauthorized access begins
October 2, 2025 Suspicious activity detected
December 9, 2025 Affected providers notified
February 2026 Customer notifications begin
March 6, 2026 Maine AG filing confirms 3.4M affected

Exposed Data Types

The 317-day dwell time (from 초기 접근 to detection) is particularly alarming and underscores the need for continuous monitoring and automated threat detection. Cognizant previously faced scrutiny after the 2020 Maze 랜섬웨어 incident and a Scattered Spider-related breach through its help desk.


🦠 VOID#GEIST: 파일리스 다단계 악성코드 캠페인

⚠️ Advanced Fileless Attack Chain

Securonix researchers have documented VOID#GEIST, a sophisticated multi-stage 악성코드 campaign that delivers XWorm, AsyncRAT, and Xeno RAT through fileless execution techniques.

Attack Chain Breakdown

  1. 초기 접근 — Batch script fetched from TryCloudflare domain via 피싱 email
  2. Decoy display — Chrome opens a fake financial PDF in full-screen as visual distraction
  3. Hidden execution — PowerShell re-executes the batch script with -WindowStyle Hidden
  4. Persistence — Startup directory placement (no registry modifications, no 권한 상승)
  5. Payload fetch — ZIP archives downloaded containing encrypted shellcode and a Python loader
  6. In-memory execution — Python runtime decrypts and injects shellcode via Early Bird APC injection into explorer.exe

💡 Why This Matters

The VOID#GEIST campaign represents a broader industry shift from standalone executables toward modular, script-based delivery frameworks. Each stage appears innocuous in isolation, mimicking legitimate administrative activity. The use of a legitimate embedded Python runtime from python.org eliminates dependencies and evades application allowlisting.

Delivered Payloads

RAT Capabilities Encrypted File
XWorm Full remote access, keylogging, screen capture, persistence new.bin
AsyncRAT Asynchronous C2 communication, plugin extensibility, 자격 증명 theft pul.bin
Xeno RAT Open-source RAT with HVNC, microphone/webcam access xn.bin

🌐 Cisco SD-WAN & Rockwell ICS: 추가 활성 익스플로잇

Cisco Catalyst SD-WAN

Cisco has confirmed that two recently patched Catalyst SD-WAN 취약점 — CVE-2026-20128 and CVE-2026-20122 — are now being 실전에서 활성 악용 중. 다음을 운영하는 조직은 affected SD-WAN configurations should apply patches immediately or implement the recommended 임시 해결책s.

Rockwell Automation ICS 취약점

A Rockwell Automation 취약점 originally disclosed and mitigated in 2021 has been confirmed as actively 익스플로잇ed in attacks targeting industrial control systems. This highlights a persistent challenge in OT/ICS environments: even when patches exist, they often aren't applied due to operational constraints and downtime concerns.

⚠️ ICS/OT Risk

If your organization runs Rockwell programmable logic controllers (PLCs), verify patch status immediately. Remote 익스플로잇ation of ICS systems can lead to physical process manipulation, safety system bypasses, and operational disruption.


🔒 LeakBase 포럼 폐쇄 — 142,000명 사용자

In a positive development, the LeakBase cybercrime forum has been shut down by law enforcement, with suspects arrested. The stolen 자격 증명 marketplace had been active since 2021 and hosted 142,000 registered users trading in compromised 자격 증명, personal data, and breach databases.

While takedowns provide temporary disruption, history shows that displaced users typically migrate to alternative forums within weeks. 조직은 해야 합니다 use this window to:


🛡️ 권장 조치

For Enterprise 보안팀

  1. Prioritize enterprise product patching — VPN appliances, firewalls, and security products are now primary zero-day targets
  2. Deploy continuous automated scanning — Manual 취약점 assessments cannot keep pace with 90+ zero-days annually
  3. 모니터링 for fileless execution patterns — Look for PowerShell hidden windows, Python runtime downloads, and APC injection signatures
  4. Reduce dwell time — The TriZetto breach's 317-day dwell time shows the cost of delayed detection
  5. Patch ICS/OT systems — Old 취약점 in Rockwell and similar systems are being actively 익스플로잇ed years after disclosure

For 의료 기관

  1. Audit web portal security — TriZetto's breach originated through a web portal handling insurance eligibility data
  2. Implement network segmentation — Limit blast radius of any single compromise
  3. Deploy behavioral analytics — Detect unauthorized access patterns, especially for databases containing PHI
  4. Review third-party vendor security — Your vendor's security posture is your security posture

Don't Wait 317 Days to Detect a Breach

KENSAI's continuous automated pentesting scans your infrastructure around the clock — finding 취약점 before attackers 익스플로잇 them, including zero-days in enterprise products.

Start Free Security Scan

Stay vigilant. Stay protected.

🗡️ KENSAI Threat Intelligence Team