do son 
Kaspersky Labs has uncovered a sophisticated cyber-espionage campaign—dubbed Operation ForumTroll—leveraging a previously unknown Google Chrome zero-day exploit, now tracked as CVE-2025-2783.
The attack began with spear-phishing emails impersonating invitations to the Primakov Readings, a high-profile Russian scientific and expert forum. “In all cases, infection occurred immediately after the victim clicked on a link in a phishing email,” Kaspersky reported. Once the malicious site opened in Google Chrome, no further action was required from the victim. Just the act of opening the link was enough for the malware to silently infiltrate the system.
Kaspersky’s detection technologies flagged the suspicious behavior in mid-March 2025, allowing researchers to quickly isolate and analyze the zero-day exploit. The attackers’ payload bypassed Chrome’s usually robust sandbox protection through a clever manipulation of Mojo IPC (Inter-Process Communication) in Windows—a flaw so subtly executed it initially defied detection.
“This particular exploit is certainly one of the most interesting we’ve encountered,” the researchers admitted. “The vulnerability CVE-2025-2783 really left us scratching our heads, as, without doing anything obviously malicious or forbidden, it allowed the attackers to bypass Google Chrome’s sandbox protection as if it didn’t even exist.”
Kaspersky researchers Boris Larin (@oct0xor) and Igor Kuznetsov (@2igosha) reported the flaw to Google on March 20, 2025, who acted swiftly to issue a patch just five days later. The fix was deployed via Chrome version 134.0.6998.177/.178 for Windows.
According to Google’s blog, “Google is aware of reports that an exploit for CVE-2025-2783 exists in the wild.” The Chrome update is currently rolling out to users via both the Stable and Extended Stable channels.
The attack also appeared to rely on a second-stage exploit for remote code execution, but Kaspersky was unable to capture this payload without risking further user exposure. Thankfully, “patching the vulnerability used to escape the sandbox effectively blocks the entire attack chain.”
The meticulous delivery method—personalized emails with rapidly expiring malicious links—and the malware’s capabilities all point toward a high-level espionage operation. “All the attack artifacts analyzed so far indicate high sophistication of the attackers, allowing us to confidently conclude that a state-sponsored APT group is behind this attack,” Kaspersky stated.
The malware’s design and deployment suggest its main objective was intelligence gathering, with targets including media outlets, educational institutions, and government organizations in Russia.
While the malicious sites used in Operation ForumTroll now redirect to the official Primakov Readings website, Kaspersky strongly cautions against clicking unfamiliar links—even those appearing to come from trusted sources.
A full technical deep-dive on the exploit chain and malware components is forthcoming. Until then, security professionals are urged to ensure all endpoints running Chrome are updated immediately and to review their email filtering and link-tracking protections.
“We plan to publish the technical details of this vulnerability once the majority of users have installed the updated version of the browser that fixes it,” Kaspersky added.
