The vulnerability CVE-2025-2783, which has a CVSS score of 8.3, has been actively exploited in a campaign called Operation ForumTroll, targeting organizations in Russia. According to research by Kaspersky, this vulnerability, which allows sandbox evasion in Google Chrome, was used to distribute the spyware LeetAgent, developed by Memento Labs.
A spyware with great potential to cause harm
The operation involved sending phishing emails with customized links that, when opened in Google Chrome or Chromium-based browsers, triggered the exploitation of the vulnerability. These attacks were directed at media outlets, universities, research centers, and governments, with the main objective of carrying out espionage activities.
Memento Labs, an Italian technology and IT services company, has been under the radar since its formation in 2019, following the merger of InTheCyber Group and HackingTeam. The latter, known for selling intrusion and surveillance capabilities to governments, had suffered a hack in 2015 that exposed multiple tools and exploits.
The APT group ForumTroll, which appears to be linked to another actor known as TaxOff, shows proficiency in Russian, although not all attackers are native speakers. This suggests a targeted and not indiscriminate approach in their operations. It has been observed that the spyware Dante, which replaces RCS, is used within this chain of attacks, offering advanced protections against analysis.
Although the full extent of these attacks has not yet been completely determined, it is evident that the use of phishing techniques, as well as the connection between different tools and groups, raises serious concerns about cybersecurity in the region. Experts suggest that this is just the latest of several incidents associated with these malicious actors.
