The recent zero-day exploitation of a patched security flaw in Google Chrome has unveiled a sophisticated espionage-related tool linked to the Italian IT provider, Memento Labs. Findings from cybersecurity firm Kaspersky indicate that this breach centers around the vulnerability identified as CVE-2025-2783, which has a CVSS score of 8.3. This vulnerability, classified as a sandbox escape, was publicly disclosed in March 2025 and has been actively exploited in a campaign known as Operation ForumTroll, which primarily targets organizations in Russia.
The exploit tied to CVE-2025-2783 has been in active use since at least February 2024, allowing attackers to bypass sandbox restrictions within Google Chrome and deploy malicious tools created by Memento Labs. This operation is also recognized under various aliases, including TaxOff/Team 46 by Positive Technologies and Prosperous Werewolf by BI.ZONE.
Attackers have employed phishing emails containing personalized, time-sensitive links that lure recipients to the Primakov Readings forum. Simply clicking these links in Google Chrome or any Chromium-based web browser triggers the exploit for CVE-2025-2783, enabling the attackers to escape the program’s confines.
Founded in April 2019, Memento Labs (also stylized as mem3nt0) emerged from the merger of InTheCyber Group and HackingTeam, a company notorious for developing offensive surveillance tools. HackingTeam gained notoriety after a massive data breach in July 2015, which leaked hundreds of gigabytes of sensitive information, including proprietary tools and exploits. Among these was the Extensible Firmware Interface (EFI) development kit, known as VectorEDK, which later served as a foundation for the UEFI bootkit known as MosaicRegressor.
In April 2016, Memento Labs faced a significant setback when Italian export authorities revoked its license to sell products outside of Europe, further complicating its operations.
The recent attacks documented by Kaspersky targeted various sectors, including media outlets, universities, research institutions, and government organizations in Russia. The primary objective of these operations was espionage. According to Boris Larin, principal security researcher at Kaspersky's Global Research and Analysis Team (GReAT), this was a carefully orchestrated spear-phishing operation, distinct from broader, indiscriminate campaigns.
“We observed multiple intrusions against organizations and individuals in Russia and Belarus,” Larin explained, highlighting the specificity of the targets and the sophistication of the methods employed.
Among the tools deployed in these intrusions is a previously undocumented spyware named LeetAgent, which derives its name from the use of leetspeak in its commands. The attack sequence begins with a validation phase, wherein a small script checks whether the visitor to the malicious site is a legitimate user. Following this, the exploit for CVE-2025-2783 executes a sandbox escape, enabling the delivery of a loader that activates LeetAgent.
This malware establishes a connection with a command-and-control (C2) server via HTTPS, enabling it to execute various commands, including:
0xC033A4D (COMMAND) – Run command using cmd.exe 0xECEC (EXEC) – Execute a process 0x6E17A585 (GETTASKS) – Retrieve a list of currently executing tasks 0x6177 (KILL) – Terminate a task 0xF17E09 (FILE \x09) – Write to a file 0xF17ED0 (FILE \xD0) – Read a file 0x1213C7 (INJECT) – Inject shellcode 0xC04F (CONF) – Set communication parameters 0xD1E (DIE) – Terminate the agent 0xCD (CD) – Change the current working directory 0x108 (JOB) – Configure parameters for keyloggers or file stealersThe malware associated with these attacks can be traced back to 2022. The threat actor has been linked to a broader spectrum of malicious cyber activities targeting organizations and individuals in Russia and Belarus, primarily utilizing phishing emails with malicious attachments as a distribution method. The distinctive features of the ForumTroll APT group include proficiency in Russian and an understanding of local nuances, although inconsistencies in some operations suggest that not all attackers may be native Russian speakers.
In a related report published in June 2025, Positive Technologies identified an identical cluster of activity involving the exploitation of CVE-2025-2783 by a threat actor they track as TaxOff, who aimed to deploy a backdoor named Trinper. According to Larin, there are indications that these two sets of attacks are interconnected, with the LeetAgent backdoor in Operation ForumTroll being capable of launching the more advanced Dante spyware.
The threats posed by these espionage operations underscore the need for robust cybersecurity measures and the importance of staying informed about vulnerabilities such as CVE-2025-2783. As cybercriminals continue to evolve their tactics, organizations must remain vigilant and proactive in their defenses against such targeted attacks.
