In March 2025, cybersecurity researchers from Kaspersky identified a critical zero-day vulnerability in Google Chrome, designated as CVE-2025-2783. This flaw was actively exploited by the notorious hacker group Mem3nt0 Mori to compromise high-profile targets in Russia and Belarus. The vulnerability allowed attackers to bypass Chrome’s sandbox protections with minimal user interaction, leading to the deployment of sophisticated spyware.
Technical Details of CVE-2025-2783
CVE-2025-2783 is a high-severity vulnerability with a CVSS score of 9.8. It involves incorrect handle validation in Chrome’s Mojo inter-process communication (IPC) system on Windows platforms. This flaw enabled attackers to escape the browser’s sandbox environment, allowing arbitrary code execution and facilitating espionage activities through spyware deployment.
Attack Methodology: Operation ForumTroll
The exploitation campaign, dubbed Operation ForumTroll by Kaspersky, targeted entities such as media outlets, universities, government agencies, and financial institutions. The attackers employed highly personalized phishing emails, crafted in Russian, masquerading as invitations to the prestigious Primakov Readings forum. These emails contained links to malicious websites that, when visited, triggered the exploit without requiring further user interaction.
Exploitation Process
The attack chain was meticulously designed and unfolded in several stages:
1. Phishing Email Validation: The initial script utilized WebGPU to confirm that the browser visit was genuine, effectively bypassing automated security scanners.
2. Payload Decryption: Upon validation, an elliptic-curve Diffie-Hellman key exchange decrypted the subsequent payload, which was concealed within seemingly benign files like JavaScript bundles and fonts.
3. Sandbox Escape: The exploit targeted Chrome’s Mojo IPC system, exploiting a logical flaw where the code failed to properly validate pseudo-handles, such as -2 (representing the current thread). This oversight allowed attackers to duplicate handles across sandbox boundaries, leading to shellcode execution in the privileged browser process and establishing malware persistence.
4. Malware Deployment: The attackers employed COM hijacking by modifying Windows registry entries for legitimate components like twinapi.dll. This ensured that the malware executed within processes such as rdpclip.exe.
5. Spyware Activation: The final payload, obfuscated with OLLVM and encrypted using a modified ChaCha20 algorithm, decrypted into LeetAgent. This rare spyware utilized leetspeak commands to perform tasks like keylogging, file theft (focusing on documents, PDFs, and spreadsheets), and process injection. Configuration data was retrieved over HTTPS from command-and-control servers hosted on Fastly.net, with extensive traffic obfuscation indicating potential commercial origins.
Connections to Commercial Spyware
Further analysis revealed that LeetAgent’s loader shared code with Dante, an elusive commercial spyware developed by the Italian firm Memento Labs, formerly known as Hacking Team. Dante, unveiled at the 2023 ISS World conference, featured advanced obfuscation techniques, anti-debugging measures, and dynamic API resolution to evade detection. Its orchestrator managed modules encrypted with AES-256, using machine-bound keys derived from CPU IDs and product keys, stored in Base64-named folders under %LocalAppData%.
Implications and Recommendations
The discovery of this vulnerability underscores the persistent threats posed by sophisticated hacker groups and the potential for commercial spyware tools to be repurposed for malicious activities. Users are strongly advised to update Google Chrome to version 134.0.6998.177 or later to mitigate this vulnerability. Additionally, enabling enhanced safe browsing features and remaining vigilant against phishing attempts are crucial steps in safeguarding against such exploits.
