A critical zero-day flaw in Google Chrome, tracked as CVE-2025-2783, has been exploited in the wild as part of a targeted espionage campaign dubbed “Operation ForumTroll.”
According to new findings from Kaspersky, the attacks have been linked to the group known as Mem3nt0 mori, also referred to as ForumTroll APT, and appear to involve tools developed by the Italian spyware vendor Memento Labs.
Sophisticated Attack Chain
The exploitation began in March 2025, when victims received highly personalized phishing emails inviting them to the Primakov Readings forum.
Clicking on the short-lived malicious links led directly to infection, requiring no further user action. The attacks primarily targeted organizations in Russia and Belarus, including universities, research centers, financial institutions and government agencies.
Kaspersky’s analysis revealed that the attackers deployed a sandbox escape exploit to compromise Chrome and other Chromium-based browsers.
The flaw stemmed from a logical oversight in Windows’ handling of pseudo handles, allowing attackers to execute code in Chrome’s browser process.
Google swiftly patched the issue in version 134.0.6998.177/.178. Firefox developers later found a related issue in their browser, addressed as CVE-2025-2857.
Read more on zero-day exploits in modern browsers: Google Issues Emergency Patch for Fourth Chrome Zero-Day of 2025
Espionage Tools Linked to Memento Labs
Investigators traced the malicious toolkit used in Operation ForumTroll to 2022 campaigns attributed to Mem3nt0 mori.
These attacks deployed spyware called LeetAgent, capable of:
-
Executing shellcode and commands remotely
-
Running background keyloggers
-
Stealing files with extensions such as .docx, .xlsx, and .pdf
Further analysis uncovered the use of a more advanced spyware platform known as Dante, a commercial product developed by Memento Labs (formerly Hacking Team).
The Dante malware, which evolved from Hacking Team’s earlier Remote Control Systems suite, features extensive anti-analysis techniques and encrypted communications.
Implications and Industry Response
Kaspersky’s researchers concluded that Mem3nt0 mori leveraged Dante-based components in the ForumTroll campaign, marking the first observed use of this commercial spyware in the wild.
“This exploit genuinely puzzled us because it allowed attackers to bypass Google Chrome’s sandbox protection without performing any obviously malicious or prohibited actions,” the team said.
“This was due to a powerful logical vulnerability caused by an obscure quirk in the Windows OS.”
The discovery underscores ongoing risks from state-aligned and commercial surveillance vendors. Kaspersky urged security researchers to examine other software and Windows services for similar pseudo-handle vulnerabilities.
While Chrome’s new patch closes this loophole, the case highlights the persistent overlap between espionage actors and the global spyware market – a reminder that commercial surveillance tools continue to find new life in targeted cyber operations.
Image credit: CryptoFX / Shutterstock.com
