Executive Summary

A highly sophisticated cyber-espionage campaign has been identified leveraging a previously unknown zero-day vulnerability in Google Chrome (CVE-2025-2783) to deliver advanced spyware attributed to Memento Labs (formerly known as Hacking Team). This operation, tracked as Operation ForumTroll, has primarily targeted organizations in Russia and Belarus, including media, academic, governmental, and financial sectors. The attack chain utilizes spear-phishing, a Chrome sandbox escape, and a multi-stage malware deployment culminating in the installation of the LeetAgent and, in some cases, the more advanced Dante spyware platforms. The technical sophistication, targeting, and use of a zero-day exploit underscore the critical risk posed by this campaign to organizations using unpatched versions of Google Chrome.

Threat Actor Profile

The campaign is attributed to an advanced persistent threat (APT) group tracked as Operation ForumTroll, also known as TaxOff/Team 46 by Positive Technologies and Prosperous Werewolf by BI.ZONE. The group is believed to operate with a high degree of technical capability, leveraging custom malware and zero-day exploits. The spyware deployed in this campaign is developed by Memento Labs, an Italian vendor with a history of supplying offensive cyber capabilities to government and intelligence clients. Linguistic analysis of phishing lures and malware artifacts suggests Russian language proficiency, though with non-native speaker errors, indicating possible external actors with regional expertise. The group has demonstrated a clear focus on intelligence collection from high-value targets in Russia and Belarus, aligning with state-sponsored objectives.

Technical Analysis of Malware/TTPs

The initial infection vector is a spear-phishing email containing a personalized, short-lived link, often themed around high-profile events such as the "Primakov Readings" forum. When a victim clicks the link using Google Chrome or a Chromium-based browser, a validator script on the malicious site confirms the browser environment before delivering the exploit payload. The exploit leverages CVE-2025-2783, a sandbox escape vulnerability in the Mojo IPC subsystem of Google Chrome for Windows, allowing remote code execution outside the browser sandbox.

Upon successful exploitation, a loader is dropped onto the victim's system, which installs the LeetAgent spyware. LeetAgent achieves persistence through COM hijacking, specifically by overriding the CLSID of twinapi.dll ({AA509086-5Ca9-4C25-8F95-589D3C07B48A}), and by storing data in hidden file-system paths and font files. Its core functions include command execution, file read/write operations, shellcode injection, keylogging, and targeted file exfiltration. The malware specifically seeks documents with extensions such as .doc, .xls, .ppt, .rtf, .pdf, .docx, .xlsx, and .pptx. LeetAgent communicates with command-and-control (C2) servers over HTTPS, using leetspeak-based commands for tasking. Notable command codes include 0xC033A4D (COMMAND), 0xECEC (EXEC), 0x6E17A585 (GETTASKS), 0x6177 (KILL), 0xF17E09 (FILE \x09), 0xF17ED0 (FILE \xD0), 0x1213C7 (INJECT), 0xC04F (CONF), 0xD1E (DIE), 0xCD (CD), and 0x108 (JOB).

In some cases, LeetAgent acts as a loader for the more advanced Dante spyware platform. Dante features advanced evasion techniques, including obfuscated control flow, encrypted strings, anti-debugging routines, and event log checks for analysis tools or virtual machines. It is modular, capable of loading additional components from disk or memory, and includes a self-destruct mechanism that erases all traces if it cannot contact its C2 infrastructure within a set period.

Persistence is further achieved by storing files in the %LocalAppData% directory, using 8-byte Base64 strings as folder names, and creating files without extensions, one of which matches the folder name. The malware also leverages COM hijacking to ensure execution upon system startup.

Exploitation in the Wild

The exploitation of CVE-2025-2783 has been observed in targeted spear-phishing campaigns against Russian and Belarusian entities since at least February 2024. The campaign was first publicly reported by Kaspersky in March 2025, with subsequent analysis by multiple security vendors confirming the use of the Chrome zero-day and the deployment of LeetAgent and Dante spyware. The attack chain is highly targeted, with phishing lures tailored to specific organizations and individuals, often referencing current events or conferences relevant to the victim's sector. The use of a zero-day exploit in a widely used browser like Google Chrome significantly increases the risk of successful compromise, particularly for organizations that have not applied the latest security updates.

Victimology and Targeting

The primary targets of this campaign are organizations in Russia and Belarus, including media outlets, universities, research centers, government agencies, and financial institutions. The selection of targets indicates a focus on intelligence collection and strategic espionage. The phishing lures are crafted in Russian, with content relevant to the victim's professional interests, increasing the likelihood of successful social engineering. While the campaign has not been observed targeting organizations outside Russia and Belarus, the use of a Chrome zero-day and the modular nature of the malware suggest the potential for broader targeting in the future. Organizations in sectors handling sensitive information or with geopolitical relevance should consider themselves at elevated risk.

Mitigation and Countermeasures

Immediate action is required to mitigate the risk posed by this campaign. All users and organizations should update Google Chrome to version 134.0.6998.177 or later, as this version contains the patch for CVE-2025-2783. Security teams should review the CISA Known Exploited Vulnerabilities (KEV) Catalog for the latest guidance and ensure that all Chromium-based browsers are updated accordingly. Endpoint detection and response (EDR) solutions should be configured to monitor for indicators of compromise associated with LeetAgent and Dante, including the specific file extensions targeted, persistence mechanisms, and command codes outlined above. User awareness training should be conducted to help employees recognize spear-phishing attempts, particularly those themed around current events or professional conferences. Network monitoring should be enhanced to detect anomalous HTTPS traffic to suspicious domains, and threat intelligence feeds should be leveraged to stay informed of emerging IOCs. Organizations should also conduct regular security audits and incident response exercises to ensure preparedness for sophisticated, multi-stage attacks.

References

The following sources provide additional technical details and context for this advisory:The Hacker News: Chrome Zero-Day Exploited to Deliver Italian Memento Labs' LeetAgent Spyware,NVD: CVE-2025-2783,Google Chrome Release Notes,CISA KEV Catalog,Securelist: ForumTroll APT, Hacking Team, Dante Spyware,Dark Reading: Memento Spyware Tied to Chrome Zero-Day Attacks.

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate cyber risks across their supply chain and digital ecosystem. Our advanced threat intelligence and risk analytics empower security teams to proactively identify vulnerabilities, respond to emerging threats, and ensure compliance with industry standards. For more information about how Rescana can help your organization strengthen its cyber resilience, or for any questions regarding this advisory, please contact us at ops@rescana.com.