Chrome Zero-Day Exploited to Deploy Memento Labs’ LeetAgent Spyware
Article Text:
In a recent cybersecurity development, a previously unknown vulnerability in Google Chrome, identified as CVE-2025-2783 with a CVSS score of 8.3, has been exploited to distribute sophisticated spyware developed by the Italian firm Memento Labs. This security flaw, which has since been patched, was actively used in targeted attacks against various organizations in Russia.
The Exploited Vulnerability
CVE-2025-2783 is a sandbox escape vulnerability that allows attackers to break out of Chrome’s security confines, potentially leading to remote code execution. The flaw was publicly disclosed in March 2025 after being exploited in a campaign known as Operation ForumTroll, which specifically targeted Russian entities. Security firms such as Positive Technologies and BI.ZONE have also tracked this threat under the names TaxOff/Team 46 and Prosperous Werewolf, respectively. Evidence suggests that this malicious activity has been ongoing since at least February 2024.
Attack Methodology
The attackers employed a highly targeted spear-phishing strategy. They sent personalized emails containing short-lived links that invited recipients to the Primakov Readings forum, a legitimate event. When victims clicked these links using Google Chrome or other Chromium-based browsers, the exploit for CVE-2025-2783 was triggered. This allowed the attackers to escape the browser’s sandbox environment and deploy spyware tools developed by Memento Labs.
About Memento Labs
Memento Labs, headquartered in Milan, Italy, was established in April 2019 through the merger of InTheCyber Group and HackingTeam. HackingTeam, prior to the merger, was notorious for providing offensive intrusion and surveillance capabilities to various governments, law enforcement agencies, and corporations. Their products included spyware designed to monitor activities on the Tor browser.
In July 2015, HackingTeam suffered a significant data breach, resulting in the leak of hundreds of gigabytes of internal data, including tools and exploits. Among the leaked tools was an Extensible Firmware Interface (EFI) development kit called VectorEDK, which later became the foundation for a UEFI bootkit known as MosaicRegressor. Following this breach, in April 2016, Italian export authorities revoked HackingTeam’s license to sell outside of Europe.
Targeted Entities
The recent attacks primarily focused on organizations within Russia, including media outlets, universities, research centers, government bodies, and financial institutions. The primary objective of these attacks was espionage, aiming to gather sensitive information from these entities.
Introduction of LeetAgent Spyware
A notable aspect of these attacks is the deployment of a previously undocumented spyware named LeetAgent, developed by Memento Labs. The spyware’s name derives from its use of leetspeak—a stylized form of writing that replaces letters with similar-looking numbers or symbols—in its command structure.
Attack Execution Process
The attack sequence begins with a validation phase, where a small script executed by the browser determines if the visitor to the malicious site is a genuine user with a real web browser. Once validated, the exploit for CVE-2025-2783 is activated, allowing the attackers to escape the browser’s sandbox and achieve remote code execution. This leads to the deployment of a loader responsible for launching the LeetAgent spyware.
Capabilities of LeetAgent
LeetAgent is designed to establish a connection with a command-and-control (C2) server over HTTPS, enabling it to receive and execute a variety of commands. These commands include:
– COMMAND (0xC033A4D): Execute commands using cmd.exe.
– EXEC (0xECEC): Run specified processes.
– GETTASKS (0x6E17A585): Retrieve a list of tasks that the agent is currently handling.
– KILLTASK (0xDEAD): Terminate specified tasks.
– GETINFO (0xBEEF): Collect system information from the infected machine.
– UPDATE (0xF00D): Update the spyware to a newer version.
– UNINSTALL (0xBAD): Remove the spyware from the infected system.
Implications and Recommendations
The exploitation of CVE-2025-2783 to deploy advanced spyware like LeetAgent underscores the evolving sophistication of cyber threats. It highlights the critical importance of maintaining up-to-date software and exercising caution with unsolicited emails, even those that appear to be from legitimate sources.
Organizations are advised to implement robust cybersecurity measures, including regular software updates, employee training on recognizing phishing attempts, and the deployment of advanced threat detection systems. By staying vigilant and proactive, entities can better protect themselves against such targeted cyber espionage campaigns.
