To explain your comment a bit: It should be 0 day AND a rootkit, not OR. Plus the rootkit is not always needed or possible.
Also the people talking about “burning zero days”… every time you use an exploit (ignoring the exact meaning of 0 days) it doesn’t become burned by the first person. The hacker could use it on hundreds of people before it’s discovered and patched by whatever software it targets. That could take months.
It can certainly be "or": rootkits can come from your machine's supply chain, and lie mostly dormant for many months or years before activation. Rootkits can get installed after a non-zero-day-entrypoint vector e.g. simply tricking the user into running downloaded malware. etc.
Also the people talking about “burning zero days”… every time you use an exploit (ignoring the exact meaning of 0 days) it doesn’t become burned by the first person. The hacker could use it on hundreds of people before it’s discovered and patched by whatever software it targets. That could take months.