ZP Enterprises

Your Go-To Source for Cyber Security Insights and Solutions

Cyber Security Internet Malware / Viruses / Worms

Chrome Browser Hit By Sophisticated Zero-Day Spyware Campaign

ByZP Enterprises Webmin

Oct 28, 2025 #Chrome, #Cyber Security, #Google, #Internet, #Kaspersky
Chrome Browser - Zero-Day Spyware

The vulnerability, officially tracked as CVE‑2025‑2783, is described in the U.S. National Vulnerability Database as an “incorrect handle provided in unspecified circumstances

In a chilling demonstration of how quickly advanced spyware can weaponise a single browser flaw, researchers have confirmed that a previously unknown zero-day vulnerability in Google Chrome was actively exploited in targeted espionage attacks — and that the operation appears tied to a resurfaced surveillance-tool vendor based in Italy.

The flaw and its exploitation

The vulnerability, officially tracked as CVE‑2025‑2783, is described in the U.S. National Vulnerability Database as an “incorrect handle provided in unspecified circumstances in Mojo in Google Chrome on Windows before version 134.0.6998.177” — allowing a remote attacker to perform a sandbox escape via a malicious file. In plain terms: Chrome’s built-in sandboxing mechanism, designed to isolate web content and limit what malicious code can do, was bypassed by the attackers — giving them a foothold deep inside the browser, and ultimately the host system.

According to multiple vendor advisories, the exploit was in the wild. It appears Google issued a patch in March 2025 for the flaw, but the window of exploitation may have been significantly wider.

A refined espionage campaign

Security firm Kaspersky (GReAT team) has attributed the campaign exploiting CVE-2025-2783 to an operation they call Operation ForumTroll — one which targeted organisations in Russia and Belarus and used highly-tailored phishing lures and browser-based drive-by compromises.

Victims received impeccably crafted emails, often mimicking invitations to the “Primakov Readings” forum (a real or plausible high-level conference) and were lured to malicious web pages. In some cases, merely visiting the link in Chrome was enough to trigger the exploit — the user did not have to download or click additional payloads beyond the initial link.

Vulnerability Overview and Exploitation Details

The vulnerability, designated CVE‑2025‑2783, is cataloged in the U.S. National Vulnerability Database as an “incorrect handle provided in unspecified circumstances in Mojo in Google Chrome on Windows prior to version 134.0.6998.177.” This flaw enabled remote attackers to bypass Chrome’s sandboxing protections via a malicious file, thereby gaining unauthorized access to the host system.

Google released a patch addressing the issue in March 2025, though multiple vendor advisories indicate that the exploit was already circulating in the wild. The actual window of exposure may have extended well beyond the patch release date.

Attribution and Campaign Characteristics

The Kaspersky Global Research and Analysis Team (GReAT) has attributed the exploitation of CVE-2025-2783 to a sophisticated operation dubbed Operation ForumTroll. This campaign targeted entities in Russia and Belarus, employing highly customized phishing lures and browser-based drive-by compromise techniques.

Victims received convincingly crafted emails, often masquerading as invitations to the “Primakov Readings” forum—a plausible high-level geopolitical conference. In many cases, simply visiting the embedded link in Chrome was sufficient to trigger the exploit, with no further user interaction required.

Technical Exploit Chain

The attack sequence reportedly included the following components:

  • Browser Validation: A script confirmed the use of a legitimate browser, circumventing sandbox detection and automated scanning tools.
  • Payload Delivery: Upon validation, an elliptic-curve Diffie-Hellman handshake decrypted the next-stage payload concealed within benign-looking assets such as JavaScript bundles and font files.
  • Sandbox Escape: The exploit chain manipulated internal browser components (e.g., the V8 engine inspector and IP CZ library) to relay handles across sandbox boundaries.
  • Process Hijacking: The attackers suspended and hijacked the browser process to inject a persistent loader.
  • Persistence Mechanisms: The loader employed Windows registry and COM hijacking, overwriting legitimate DLL entries (e.g., twinapi.dll) to execute within trusted processes such as rdpclip.exe.

Payload Analysis: LeetAgent Spyware

The final payload, identified as LeetAgent, is a rare spyware variant capable of:

  • Keylogging
  • File exfiltration, with emphasis on documents, spreadsheets, and PDFs
  • Process injection for stealth and persistence

Kaspersky’s analysis reveals code-level similarities between LeetAgent’s loader and components of Dante, a commercial espionage framework developed by Memento Labs—formerly known as Hacking Team, an Italian surveillance technology vendor.

Nord VPN
60% off Nord VPN
Coinbase - Getty Images - 1234552839
Coinbase – Crypto Currency – Sign up with this link and get $10 free?! Buy/sell/exchange crypto, and use their ATM card to access your cash easily!
Game Fly
Game Fly Video Game Rentals!

By ZP Enterprises Webmin

Related Post

Cyber Security

Hackers Using PuTTY for Both Lateral Movement and Data Exfiltration

Dec 23, 2025 ZP Enterprises Webmin
Administration Cyber Security Infrastructure

Cybersecurity Analyst

Dec 21, 2025 ZP Enterprises Webmin
Android Cyber Security Cybercrime Google Malware / Viruses / Worms Uncategorized

DroidLock Malware – Android

Dec 16, 2025 ZP Enterprises Webmin