A sophisticated cyberespionage operation dubbed Operation ForumTroll has been discovered exploiting a critical Chrome zero-day vulnerability (CVE-2025-2783) to conduct targeted attacks against education, finance, media, and government sectors primarily in Russia. The campaign utilized personalized phishing emails disguised as forum invitations to deliver a sandbox escape exploit that bypassed Chrome’s security protections, ultimately installing advanced spyware capable of comprehensive system surveillance and data exfiltration.
Chrome Sandbox Escape Vulnerability Enables System Compromise
The Operation ForumTroll campaign leveraged CVE-2025-2783, a sophisticated sandbox escape vulnerability that exploited an obscure quirk in Windows OS pseudo-handle processing. The flaw allowed attackers to bypass Chrome’s multi-process security architecture by manipulating the browser’s inter-process communication mechanisms, specifically targeting the ipcz library used for secure communication between sandboxed renderer processes and the privileged browser process.
The exploit demonstrated remarkable technical sophistication by using Chrome’s own Mojo and ipcz libraries, statically compiled from official sources, to communicate directly with the IPC broker within the browser process. This approach enabled attackers to escape the sandbox without performing obviously malicious actions, making detection extremely challenging for traditional security solutions and highlighting the vulnerability’s dangerous potential for widespread exploitation.
Phishing Campaign Targets Russian Organizations and Institutions
The attack vector began with highly personalized phishing emails masquerading as invitations to the Primakov Readings scientific and expert forum, a legitimate academic event. These emails contained no language errors and demonstrated intimate familiarity with Russian cultural and institutional contexts, suggesting either native Russian speakers or extensive reconnaissance of target organizations and their communication patterns.
The malicious links embedded in these emails were extremely short-lived and personalized to avoid detection by security systems, directing victims to websites that performed sophisticated validation checks before delivering the exploit payload. The campaign specifically targeted media outlets, universities, research centers, government organizations, and financial institutions across Russia and Belarus, indicating a strategic focus on intelligence gathering from high-value targets.
“The malicious links were personalized and extremely short-lived to avoid detection. However, Kaspersky’s technologies successfully identified a sophisticated zero-day exploit that was used to escape Google Chrome’s sandbox.” – Kaspersky Security Research Team
LeetAgent Spyware Provides Comprehensive System Surveillance Capabilities
Once the Chrome sandbox was successfully bypassed, attackers deployed LeetAgent, a sophisticated spyware tool that established persistence through COM object hijacking techniques. The malware achieved system-level access by overriding legitimate Windows Component Object Model entries, causing system processes and web browsers to load malicious DLL files that decrypted and executed the main surveillance payload.
LeetAgent demonstrated advanced capabilities including keystroke logging, file theft operations, remote command execution, and comprehensive system monitoring through HTTPS communication with command-and-control servers. The spyware’s command structure utilized leetspeak encoding, with commands like 0xC033A4D (COMMAND) for shell execution, 0xF17E09 (FILE) for file operations, and 0x1213C7 (INJECT) for shellcode injection, indicating a deliberately obfuscated approach to evade detection.
Commercial Spyware Infrastructure Links to Memento Labs
Security researchers discovered significant code overlaps and infrastructure similarities connecting Operation ForumTroll to Dante spyware, a commercial surveillance tool developed by Italian company Memento Labs, formerly known as Hacking Team. The analysis revealed shared persistence mechanisms, similar file system paths, and identical techniques for hiding data within font files, suggesting the use of common toolsets or direct collaboration between threat actors.
Memento Labs represents the rebranded successor to the infamous Hacking Team, which gained notoriety for developing the Da Vinci surveillance tool before suffering a massive data breach in 2015. The company’s resurrection as Memento Labs and development of the Dante spyware platform demonstrates the continued evolution of commercial surveillance technology and its adoption by state-sponsored threat actors for intelligence operations.
Nation-State Actors Adapt Commercial Spyware for Intelligence Operations
The Operation ForumTroll campaign exemplifies the growing trend of nation-state actors leveraging commercial spyware frameworks rather than developing custom tools from scratch. This approach provides several advantages, including reduced development costs, plausible deniability through third-party attribution, and access to sophisticated capabilities that would require significant resources to develop independently.
The integration of browser zero-day exploits with commercial spyware platforms represents a significant evolution in cyberespionage tactics, combining the technical sophistication of state-sponsored exploit development with the operational capabilities of commercial surveillance tools. Advanced persistent threat detection strategies must now account for this hybrid approach that blurs traditional attribution boundaries between commercial and state-sponsored activities.
Security experts warn that this convergence of browser vulnerabilities and legacy spyware toolsets creates unprecedented challenges for enterprise and government security teams. The case demonstrates how decades-old optimization decisions in operating system design can create modern security vulnerabilities, while commercial spyware vendors continue to provide sophisticated surveillance capabilities to state-sponsored actors seeking to conduct intelligence operations with reduced attribution risks and enhanced operational security measures.
Operation ForumTroll represents a sophisticated evolution in cyberespionage tactics, demonstrating how state-sponsored threat actors are successfully integrating browser zero-day exploits with commercial spyware platforms to conduct targeted intelligence operations. The campaign’s technical sophistication, from the Chrome sandbox escape to the deployment of Memento Labs’ Dante-related toolsets, highlights the growing convergence between commercial surveillance technology and nation-state hacking capabilities, posing significant challenges for cybersecurity defenders worldwide.