Kaspersky Exposes Chrome Zero-Day RCE (CVE-2025-2783) Delivering Memento Labs Spyware in ForumTroll Campaign

Researchers at Kaspersky uncovered a sophisticated espionage campaign exploiting a zero-day vulnerability in Google Chrome and delivering commercial spyware linked to the Italian company Memento Labs — formerly known as Hacking Team.

Dubbed Operation ForumTroll, the campaign began with personalized phishing emails that invited recipients to the Primakov Readings, a well-known Russian scientific forum. Simply visiting the malicious website was enough to infect the victim. As Kaspersky explains, “No further action was required to initiate the infection; simply visiting the malicious website using Google Chrome or another Chromium-based web browser was enough.”

The phishing emails were meticulously crafted and written in authentic Russian, targeting media outlets, universities, research centers, financial institutions, and government organizations across Russia. Each email contained a unique, short-lived phishing link designed to bypass detection.

According to Kaspersky, “The malicious emails sent by the attackers were disguised as invitations from the organizers of the Primakov Readings scientific and expert forum. These emails contained personalized links to track infections.”

The campaign’s professionalism and language proficiency suggest regional expertise, though “mistakes in some cases suggest that the attackers were not native Russian speakers,” the report notes — a sign of deliberate masquerade.

Kaspersky’s investigation revealed a previously unknown Chrome zero-day (CVE-2025-2783) that allowed the attackers to escape Chrome’s sandbox using an obscure Windows API flaw.

The exploit abused pseudo-handles such as -2 returned by GetCurrentThread(), which were not properly validated by Chrome’s interprocess communication (IPC) mechanisms. This logical oversight enabled attackers to escalate privileges from a sandboxed renderer to the browser process.

As Kaspersky describes, “This exploit genuinely puzzled us because it allowed attackers to bypass Google Chrome’s sandbox protection without performing any obviously malicious or prohibited actions. This was due to a powerful logical vulnerability caused by an obscure quirk in the Windows OS.”

The vulnerability has since been patched in Chrome 134.0.6998.177/.178, with the fix credited to Kaspersky. Interestingly, Mozilla later discovered a similar issue, releasing CVE-2025-2857 for Firefox.

Kaspersky notes, “When pseudo handles were first introduced, they simplified development and helped squeeze out extra performance… Now, decades later, that outdated optimization has come back to bite us.”

After exploiting the browser, the attackers deployed a multi-stage loader chain beginning with a “validator” script that used the WebGPU API to verify human visitors. This validator performed elliptic-curve key exchange (ECDH) and decrypted the next payload hidden in fake JavaScript and font files.

Persistence was established using COM hijacking, a technique that overrides legitimate CLSID registry entries to execute malicious DLLs. The loader decrypted the final payload only when running within specific system processes, increasing stealth.

Kaspersky explains, “The attackers used this technique to override the CLSID of twinapi.dll and cause system processes and web browsers to load the malicious DLL.”

The decrypted payload, named LeetAgent, acted as the spyware component of the campaign. Its command identifiers were humorously written in leetspeak — such as 0x6177 (KILL) and 0xF17E09 (FILE) — giving the malware its name.

LeetAgent executed remote commands, performed keylogging, and exfiltrated sensitive documents with extensions like .doc, .xls, .pdf, and .pptx. Communication with command-and-control (C2) servers occurred via HTTPS with obfuscation layers, often leveraging Fastly’s CDN infrastructure.

In a major revelation, Kaspersky traced the campaign’s secondary payloads to Dante, a commercial spyware product developed by Memento Labs, the rebranded successor of Hacking Team.

The analysts wrote, “After analyzing this previously unknown, sophisticated spyware, we were able to identify it as commercial spyware called Dante, developed by the Italian company Memento Labs.”

Like Hacking Team’s infamous Remote Control Systems (RCS) spyware, Dante is engineered for covert surveillance, featuring VMProtect packing, anti-debugging, anti-sandbox checks, and modular architecture. It decrypts its configuration data using XOR and AES-256-CBC, with the encryption key bound to the victim machine’s hardware ID.

Kaspersky points out, “Why did the authors name it Dante? This may be a nod to tradition, as RCS spyware was also known as ‘Da Vinci’. But it could also be a reference to Dante’s Divine Comedy, alluding to the many ‘circles of hell’ that malware analysts must pass through when detecting and analyzing the spyware.”

Through overlapping infrastructure, persistence methods, and code similarities, Kaspersky linked LeetAgent and Dante to the same ForumTroll APT group. The company observed similar attacks dating back to 2022, primarily targeting entities in Russia and Belarus.

While the attackers demonstrated strong regional awareness, Kaspersky’s linguistic and infrastructure analysis suggests foreign actors using commercial spyware as part of a state-aligned or mercenary espionage operation.

Related Posts:

• Kaspersky Report: Criminals earning millions through mining malware
• New Agent Tesla Spyware Variant was spread via Microsoft Word documents
• Windows Sandbox Gets Supercharged: Clipboard and File Sharing Arrive
• Predators for Hire: A New Report Exposes the Thriving Global Spyware Industry