Chrome Zero-Day CVE-2025-2783 Exploited in Targeted Cyber Espionage Attack, Kaspersky Warns of Major Security Risk
A critical Google Chrome zero-day vulnerability (CVE-2025-2783) exploited in Operation ForumTroll exposed users to spyware attacks by Memento Labs. Kaspersky urges users to update Chrome, enhance cybersecurity awareness, and protect against advanced espionage threats.
Tech Author
A new zero-day vulnerability in Google Chrome, CVE-2025-2783, has been exploited by hackers in an espionage operation known as "Operation ForumTroll." The campaign, which was uncovered by Kaspersky researchers, is linked to the threat group Mem3nt0 mori (ForumTroll APT) and appears to use spyware tools created by the Italian company Memento Labs, previously referred to as Hacking Team.
How the attack occurred
According to Kaspersky, the campaign began in March 2025, when victims were sent phishing emails inviting them attend the well-known Primakov Readings conference. The emails contained malicious URLs that, when opened, automatically infected the victim's device, with no further action required. The operation focused largely on Russian and Belarusian government agencies, research centres, financial institutions, and universities.
The attackers used a logical weakness in Windows' pseudo handle system to execute code inside Chrome's browser process. This novel technique enabled them to bypass Chrome's sandbox protection, which is one of the browser's primary security features. Google responded promptly providing a security patch in version 134.0.6998.177/.178 to address the vulnerability. Soon later, Mozilla patched a similar issue in Firefox (CVE-2025-2857).
Spyware Tools linked to Memento Labs
Researchers found that the attackers used two powerful spyware programs, LeetAgent and Dante, both associated with Memento Labs.
- LeetAgent can run remote commands, record keystrokes, and steal files like .docx, .xlsx, and .pdf.
- Dante, a more advanced spyware platform, evolved from Hacking Team’s earlier Remote Control Systems suite. It includes anti-detection features, encrypted communication, and deep system access, making it difficult to trace.
This marks the first known case of Dante spyware being used in active cyber espionage.
Why this matters
Experts believe this attack highlights the growing overlap between government-backed hackers and commercial spyware vendors. Kaspersky warned that similar Windows pseudo-handle vulnerabilities might exist in other applications, urging developers and security researchers to investigate further.
While Google’s patch now protects Chrome users, the incident serves as a reminder that even the most secure browsers can be exploited through advanced zero-day attacks. Users are advised to update Chrome immediately and stay alert to phishing campaigns distributing malware through social engineering.
This campaign shows how even trusted platforms like Google Chrome can be exploited through advanced spyware.This incident highlights the urgent need for regular software updates and stronger cybersecurity awareness. As cyber threats evolve, proactive protection remains the best defense against modern espionage attacks.
This article is based on information from Infosecurity Magazine
