NextFin news, a critical zero-day vulnerability identified as CVE-2025-2783 in the Google Chrome browser has been exploited since March 2025 by the Advanced Persistent Threat (APT) group known as Mem3nt0 mori, also referred to as ForumTroll. According to Kaspersky's investigative report published on October 28, 2025, this exploitation campaign, dubbed "Operation ForumTroll," specifically targeted organizations within Russia and Belarus. The victims primarily included universities, research centers, government agencies, and financial institutions—critical nodes in national knowledge and economic infrastructure.
The attack vector commenced with highly personalized phishing emails inviting selected targets to the Primakov Readings, a prestigious forum, thereby ensuring high engagement. Malicious, short-lived links embedded in these emails triggered an infection chain that required no further user interaction. Through a logical oversight in Windows’ handling of pseudo handles, the attackers exploited Chrome’s Mojo inter-process communication (IPC) mechanism. This flaw allowed them to bypass sandbox protections intrinsic to Chromium-based browsers and execute arbitrary code in the privileged browser process, effectively escaping the isolation mechanisms designed to safeguard end-users.
Google responded swiftly, patching the vulnerability in Chrome versions 134.0.6998.177 and 134.0.6998.178. Mozilla Firefox developers, detecting a related issue, addressed it via CVE-2025-2857, highlighting that this class of vulnerability may extend beyond a single browser platform. However, the exploit had already facilitated the deployment of sophisticated espionage spyware, significantly impacting affected entities.
Forensic analysis traced the spyware toolkit to components developed by the Italian surveillance firm Memento Labs (formerly Hacking Team). Central to the campaign was LeetAgent spyware, capable of executing remote commands, running background keyloggers, and exfiltrating sensitive file types (.docx, .xlsx, .pdf). Moreover, a more advanced spyware platform named Dante was deployed. Dante is a commercial-grade product featuring strong anti-analysis countermeasures, encrypted communications, and persistent infiltration capabilities. This marks the first public instance of Dante’s components being used operationally in a targeted espionage campaign, raising serious questions about the ethical use of commercial spyware products and their potential proliferation.
The cyberattack methodology was notably complex. The phishing emails incorporated scripts to validate real user engagement, which prevented automated detection. Payloads were concealed within legitimate-looking assets delivered over HTTPS from content delivery networks optimized for obfuscation (e.g., Fastly.net). Command and control communications utilized elliptic-curve cryptography and employed obfuscated encoding techniques like a modified ChaCha20 cipher. Persistence was achieved through methods including COM hijacking and registry manipulation, ensuring malware execution even after reboots.
This operation underscores multiple strategic trends. First, the blending of state-aligned espionage actors with commercial spyware vendors like Memento Labs points to an evolving cyber arms marketplace where sophisticated tools are commoditized. Such commercialization enables rapid deployment of highly complex toolsets and lowers technical barriers to entry for nation-state or proxy attackers.
Second, the exploitation of core system mechanisms—such as Windows pseudo handle logic—in widely used client software highlights persistent, latent software architecture frailties. Despite increased security investment and attention to sandboxing, logical errors remain a potent vector for privilege escalation and sandbox escapes. According to industry data, 2025 is already noted for multiple zero-day vulnerabilities in major browsers, revealing a systemic challenge in secure browser engineering amid growing software complexity and legacy code dependencies.
Third, the targeting of Russia and Belarus by a group leveraging Italian spyware technology indicates complex geopolitical cyber dynamics. Traditionally, Western espionage tools have surveilled adversaries, but today’s cyber conflict landscape reflects multilayered interdependencies and proxy usage. The targeting of educational and financial institutions signals an intent to garner intelligence on scientific, technological, and economic developments critical to these nations’ strategic interests.
Looking ahead, the discovery of CVE-2025-2783 and associated spyware deployments will likely drive accelerated hardening of IPC and sandbox modules in browsers, alongside increased scrutiny of OS-level handle management in Windows. Security researchers are encouraged to investigate pseudo-handle vulnerabilities across other software components to preempt derivative exploits.
On a strategic level, the ForumTroll campaign exemplifies the growing convergence of espionage operations with commercial spyware markets, highlighting urgent regulatory and ethical dilemmas. Governments, especially under President Donald Trump's administration, are expected to consider more aggressive policies confronting the export and use of commercial surveillance software, balancing cybersecurity imperatives and geopolitical influence.
Enterprises and critical infrastructure managers in the affected regions—and globally—must prioritize patch management, advanced phishing detection, and behavioral analysis defenses to counter increasingly opaque and sophisticated exploit chains. The campaign underscores that even widely trusted software ecosystems like Chrome and Firefox remain vulnerable to innovative attack vectors requiring adaptive, multi-layered cybersecurity postures.
In summary, Mem3nt0 mori's exploitation of a critical Chrome zero-day for espionage reveals deep vulnerabilities in current cybersecurity frameworks, challenges arising from commercial spyware proliferation, and new complexities within cyber geopolitics affecting Russia, Belarus, and potentially beyond. This incident serves as a stark cautionary tale for technology vendors, policymakers, and enterprises alike on the need for vigilance, innovation, and cooperation in defending digital ecosystems.
Explore more exclusive insights at nextfin.ai.
