Executive Summary

A newly uncovered cyber-espionage campaign has been attributed to the Italian spyware vendor Memento Labs (formerly known as Hacking Team and InTheCyber Group), leveraging a critical Google Chrome zero-day vulnerability, CVE-2025-2783, to deliver advanced surveillance malware. This campaign, tracked as Operation ForumTroll, has been active since at least February 2024 and is characterized by highly targeted spear-phishing attacks against organizations in Russia and Belarus, including media, academic, governmental, and financial institutions. The attackers exploit the Chrome vulnerability to deploy the sophisticated LeetAgent and Dante spyware platforms, enabling full system compromise, data exfiltration, and persistent access. The technical sophistication, operational security, and targeting profile of this campaign underscore the growing threat posed by commercial spyware vendors and the urgent need for robust patch management and user awareness.

Threat Actor Profile

The primary actor behind this campaign is Memento Labs, an Italian commercial spyware vendor with a lineage tracing back to the notorious Hacking Team. Memento Labs specializes in the development and sale of offensive cyber capabilities, including remote access trojans and modular surveillance frameworks. The group’s tools have been linked to state-sponsored and private sector clients worldwide, often in the context of targeted surveillance and intelligence operations. In this campaign, the threat actor is tracked as ForumTroll APT (also referenced as TaxOff, Team 46, or Prosperous Werewolf in various threat intelligence reports). The actor demonstrates advanced operational security, using short-lived, personalized phishing links and rapidly shifting command-and-control (C2) infrastructure to evade detection and attribution. The campaign’s focus on Russian and Belarusian targets, particularly those in sensitive sectors, suggests a strategic intelligence-gathering objective, likely on behalf of a third-party client.

Technical Analysis of Malware/TTPs

The attack chain begins with a spear-phishing email containing a personalized, ephemeral link, often themed around high-profile events such as the Primakov Readings forum. When the victim clicks the link using a vulnerable version of Google Chrome (prior to 134.0.6998.177), the browser is exploited via CVE-2025-2783, a high-severity sandbox escape vulnerability in the Chrome Mojo IPC subsystem. This exploit enables remote code execution on the target system, bypassing browser isolation and delivering a custom loader.

The loader executes the LeetAgent spyware, a modular implant with extensive surveillance and post-exploitation capabilities. LeetAgent supports remote command execution, process management, file system access, shellcode injection, keylogging, and targeted file theft (including Microsoft Office and PDF documents). It establishes persistence through COM hijacking and can self-delete to evade forensic analysis. C2 communication is conducted over HTTPS, with parameters configurable via dedicated command codes. The implant’s command set includes codes for executing commands (0xC033A4D), process management (0xECEC, 0x6E17A585, 0x6177), file operations (0xF17E09, 0xF17ED0), shellcode injection (0x1213C7), C2 configuration (0xC04F), and data exfiltration (0x108 for keylogging and file theft).

In some incidents, LeetAgent is deployed alongside Dante, a more advanced spyware platform from Memento Labs. Dante features obfuscated control flow, encrypted strings, anti-debugging techniques, and environmental awareness (including checks for malware analysis tools and virtual machines via Windows Event Log). It is modular, capable of loading additional components from disk or memory, and includes a self-removal mechanism if C2 connectivity is lost. Both implants are designed for stealth and resilience, leveraging advanced persistence and evasion techniques.

The campaign’s Tactics, Techniques, and Procedures (TTPs) map to several MITRE ATT&CK techniques, including T1566.001 (Spearphishing Link), T1203 (Exploitation for Client Execution), T1059 (Command and Scripting Interpreter), T1105 (Ingress Tool Transfer), T1027 (Obfuscated Files or Information), T1055 (Process Injection), T1071.001 (Web Protocols for C2), T1112 (Modify Registry for persistence), T1005 (Data from Local System), and T1056.001 (Keylogging).

Exploitation in the Wild

Operation ForumTroll has been actively exploiting CVE-2025-2783 since at least February 2024, with confirmed intrusions in Russia and Belarus. The campaign is notable for its precision targeting, with spear-phishing emails crafted for specific individuals and organizations. The phishing links are short-lived, often expiring after a single use, and are tailored to the recipient’s interests or professional context. Upon successful exploitation, the victim’s system is compromised with LeetAgent and, in some cases, Dante spyware, enabling the attacker to conduct comprehensive surveillance, data theft, and lateral movement within the target environment. The use of HTTPS for C2 communication, combined with rapid infrastructure rotation, has complicated detection and response efforts. Public reporting indicates that the attackers have successfully compromised media outlets, academic institutions, government agencies, and financial organizations, exfiltrating sensitive documents and credentials.

Victimology and Targeting

The primary targets of this campaign are organizations and individuals in Russia and Belarus, with a focus on sectors of strategic interest, including media, academia, government, finance, and research. Victims have included journalists, policy analysts, government officials, and financial sector employees. The targeting methodology relies on detailed reconnaissance, enabling the attackers to craft convincing spear-phishing lures and maximize the likelihood of exploitation. The campaign’s geographic and sectoral focus suggests an intelligence-gathering objective, potentially on behalf of a state or private client seeking access to sensitive information and communications. There is no evidence of widespread, indiscriminate targeting; rather, the operation is characterized by its selectivity and operational discipline.

Mitigation and Countermeasures

Immediate mitigation requires patching all instances of Google Chrome to version 134.0.6998.177 or later, as this release addresses CVE-2025-2783. Organizations should conduct an inventory of all Chromium-based browsers in their environment, as some may also be affected if based on vulnerable Chromium versions. User awareness training is critical, with a focus on recognizing spear-phishing attempts, especially those containing personalized or event-themed links. Security teams should implement network monitoring to detect unusual HTTPS connections to unknown or suspicious domains, particularly following browser activity. Endpoint detection and response (EDR) solutions should be configured to identify signs of COM hijacking, anomalous persistence mechanisms, and file access patterns consistent with LeetAgent and Dante behaviors. Regular threat intelligence updates are essential to stay informed of new indicators of compromise (IOCs) and evolving TTPs. Organizations should also review their incident response plans to ensure rapid containment and remediation in the event of compromise.

References

The following open-source resources provide additional technical details and context for this campaign:

The Hacker News: Chrome Zero-Day Exploited to Deliver Italian Memento Labs' LeetAgent Spyware (https://thehackernews.com/2025/10/chrome-zero-day-exploited-to-deliver.html), NVD: CVE-2025-2783 (https://nvd.nist.gov/vuln/detail/CVE-2025-2783), BleepingComputer: Italian spyware vendor linked to Chrome zero-day attacks (https://www.bleepingcomputer.com/news/security/italian-spyware-vendor-linked-to-chrome-zero-day-attacks/), Dark Reading: Memento Spyware Tied to Chrome Zero-Day Attacks (https://www.darkreading.com/vulnerabilities-threats/memento-spyware-chrome-zero-day-attacks), Google TAG: Spyware vendors use 0-days and n-days against popular platforms (https://blog.google/threat-analysis-group/spyware-vendors-use-0-days-and-n-days-against-popular-platforms/), Kaspersky GReAT (https://securelist.com/), Chrome Release Notes: Stable Channel Update for Desktop (https://chromereleases.googleblog.com/2025/03/stable-channel-update-for-desktop_25.html), CISA KEV Catalog Entry (https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-2783).

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate cyber risks across their supply chain and digital ecosystem. Our advanced analytics and threat intelligence capabilities empower security teams to proactively identify vulnerabilities, respond to emerging threats, and ensure compliance with industry standards. For more information about how Rescana can help strengthen your organization’s cyber resilience, or for any questions regarding this advisory, please contact us at ops@rescana.com.