Exploitation of Google Chrome Flaw for Espionage Tools
A recently patched zero-day vulnerability in Google Chrome has been exploited to distribute espionage software linked to the Italian IT firm, Memento Labs. This information comes from recent reports by Kaspersky.
Details of the Vulnerability
The vulnerability, identified as CVE-2025-2783 (CVSS score: 8.3), allows for a sandbox escape. It became publicly known in March 2025 and has been actively targeted in a campaign known as Operation ForumTroll, primarily aimed at organizations within Russia. It’s also referred to as TaxOff/Team 46 by Positive Technologies and Prosperous Werewolf by BI.ZONE, and has been in operation since at least February 2024.
How the Attack Worked
The attack involved phishing emails that contained personalized links directing recipients to the Primakov Readings forum. Clicking these links in Google Chrome or any Chromium-based browser would trigger the exploitation of CVE-2025-2783, allowing the attackers to escape the browser’s sandbox and deploy tools created by Memento Labs.
About Memento Labs
Founded in Milan in April 2019 from the merger of InTheCyber Group and HackingTeam—known for its past involvement in selling surveillance technology—Memento Labs has a controversial history, including developing spyware to monitor users on the Tor network.
Targeted Organizations
Recent reports indicate that the phishing campaigns targeted various entities, including media organizations, universities, research institutions, government groups, and financial companies in Russia, primarily for espionage purposes. According to Boris Larin from Kaspersky, these were focused spear-phishing operations rather than broad attacks.
Discovery of LeetAgent
The attacks have been linked to a new spyware called LeetAgent, which employs leetspeak in its commands. The malware operates by validating users through a script and using the vulnerability to perform remote code execution, ultimately launching LeetAgent.
Capabilities and Connections
The malware can connect to a command-and-control server and execute various tasks, including running commands, reading files, and injecting shellcode. This threat has been associated with prior cyber activities linked to malicious phishing campaigns targeting Russia and Belarus and shows identifiable traits of its operatives. Notably, there are connections to another spyware known as Dante, indicating sophisticated overlaps in tactics used in these operations.
