Operation ForumTroll: Chrome Zero-Day (CVE-2025-2783) Used to Deploy Italian Spyware
In March 2025, Kaspersky Lab recorded a surge of infections triggered when users followed personalized phishing links sent via email. No additional interaction was required to activate the attack—merely opening the malicious site in Google Chrome or another Chromium-based browser was enough.
The links were ephemeral and uniquely generated for each recipient, which significantly hindered detection. Nevertheless, Kaspersky’s technologies identified a sophisticated zero-day exploit that enabled sandbox escape in Chrome. The vulnerability was promptly reported to Google’s security team and patched under the identifier CVE-2025-2783.
The campaign, named Operation ForumTroll, derived its title from the attackers’ use of fake invitations to the “Primakov Readings” forum. Victims included employees of media outlets, universities, research institutions, government agencies, and financial organizations across Russia. Analysis of the malicious components revealed that the objective of the operation was cyber-espionage.
Researchers traced the origins of the employed software back to 2022 and discovered connections to the commercial spyware Dante, developed by the Italian firm Memento Labs (formerly Hacking Team). Code similarities indicated that ForumTroll’s attacks were executed using tools from Memento Labs.
Upon closer examination, analysts determined that infection began when victims clicked on a phishing link. The malicious website verified the target through the WebGPU API and, upon successful validation, launched the exploit. The vulnerability leveraged specific behaviors of the Windows API functions GetCurrentThread and DuplicateHandle, granting access to browser threads and enabling arbitrary code execution. A similar flaw was later identified in Firefox as CVE-2025-2857.
Persistence was achieved through COM (Component Object Model) hijacking, where attackers substituted the CLSID of the twinapi.dll library. This allowed the malicious loader to execute whenever system processes or browsers were invoked. The main module, LeetAgent, interpreted commands written in leetspeak and was capable of stealing documents, intercepting input, and executing arbitrary processes. Command-and-control communication was maintained over HTTPS via servers hosted on Fastly.net infrastructure.
Researchers identified two attack clusters: one employing LeetAgent and the other utilizing the more advanced Dante spyware. Both used identical persistence and concealment methods, confirming their linkage. Within Dante’s code, investigators discovered a direct reference to the malware’s name—matching a presentation at ISS World MEA 2023, where Memento Labs had first introduced the new tool.
The Dante platform exhibits complex evasion techniques, including VMProtect-based obfuscation, anti-debugging routines, monitoring of Windows system events, and AES-256-CBC encryption. Experts assessed that the structure and precision of the code reflect an industrial-grade level of development.
According to Kaspersky, ForumTroll has also deployed Dante in other attacks targeting entities in Russia and Belarus, though direct use of it was not confirmed in the most recent infection wave. Indicators of Compromise (IOCs) have been published in Kaspersky’s detailed report.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
