There are a couple of manner ins which criminals can acquire zero-day malware:
1. They can buy it on the black market.
2. They can produce it themselves.
3. They can steal it from a legitimate company or individual.
4. They can find it in the wild.
The most common way that criminals obtain zero-day malware is by buying it on the black market. There are a variety of black markets that sell zero-day malware, and the prices can vary depending upon the need and the elegance of the malware.
https://scarabnet.org/?p=500 Wrongdoers can also produce zero-day malware themselves, although this is less typical. In order to do this, they would need to have a great understanding of computer security and exploits.
Another way that wrongdoers can obtain zero-day malware is by stealing it from a legitimate company or person. This can be done by hacking into a company's network and taking the malware, or by social engineering a business or person into providing them the malware.
Finally, lawbreakers can find zero-day malware in the wild. This usually happens when a security scientist finds a new vulnerability and writes a make use of for it. The scientist might then offer the exploit to a criminal group, or the make use of might be leaked online.