The zero-day exploitation of a now-patched security flaw in Google Chrome led to the distribution of an espionage-related tool from Italian information technology and services provider Memento Labs, according to new findings from Kaspersky.
The vulnerability in question is CVE-2025-2783 (CVSS score: 8.3), a case of sandbox escape which the company disclosed in March 2025 as having come under active exploitation as part of a campaign dubbed Operation ForumTroll targeting organizations in Russia. The cluster is also tracked as TaxOff/Team 46 by Positive Technologies and Prosperous Werewolf by BI.ZONE. It’s known to be active since at least February 2024.
The wave of infections involved sending phishing emails containing personalized, short-lived links inviting recipients to the Primakov Readings forum. Clicking the links through Google Chrome or a Chromium-based web browser was enough to trigger an exploit for CVE-2025-2783, enabling the attackers to break out of the confines of the program and deliver tools developed by Memento Labs.
Headquartered in Milan, Memento Labs (also stylized as mem3nt0) was formed in April 2019 following the merger of InTheCyber Group and HackingTeam (aka Hacking Team), the latter of which has a history of selling offensive intrusion and surveillance capabilities to governments, law enforcement agencies, and corporations, including creating spyware designed to monitor the Tor browser.
Most notably, the infamous surveillance software vendor suffered a hack in July 2015, resulting in the leak of hundreds of gigabytes of internal data, including tools and exploits. Among these was an Extensible Firmware Interface (EFI) development kit dubbed VectorEDK that would later go on to become the foundation for a UEFI bootkit known as MosaicRegressor. In April 2016, the company courted a further setback after Italian export authorities revoked its license to sell outside of Europe.
In the latest set of attacks documented by the Russian cybersecurity vendor, the lures targeted media outlets, universities, research centers, government organizations, financial institutions, and other organizations in Russia with the primary goal of espionage.
“This was a targeted spear-phishing operation, not a broad, indiscriminate campaign,” Boris Larin, principal security researcher at Kaspersky Global Research and Analysis Team (GReAT), told The Hacker News. “We observed multiple intrusions against organizations and individuals in Russia and Belarus, with lures aimed at media outlets, universities, research centers, government bodies, financial institutions, and others in Russia.”
Most notably, the attacks have been found to pave the way for a previously undocumented spyware developed by Memento Labs called LeetAgent, owing to the use of leetspeak for its commands.
The starting point is a validator phase, which is a small script executed by the browser to check if the visitor to the malicious site is a genuine user with a real web browser, and then leverages CVE-2025-2783 to detonate the sandbox escape in order to achieve remote code execution and drop a loader responsible for launching LeetAgent.
The malware is capable of connecting to a command-and-control (C2) server over HTTPS and receiving instructions that allow it to perform a wide range of tasks –
- 0xC033A4D (COMMAND) – Run command using cmd.exe
- 0xECEC (EXEC) – Execute a process
- 0x6E17A585 (GETTASKS) – Get a list of tasks that the agent is currently executing
- 0x6177 (KILL) – Stop a task
- 0xF17E09 (FILE x09) – Write to file
- 0xF17ED0 (FILE xD0) – Read a file
- 0x1213C7 (INJECT) – Inject shellcode
- 0xC04F (CONF) – Set communication parameters
- 0xD1E (DIE) – Quit
- 0xCD (CD) – Change current working directory
- 0x108 (JOB) – Set parameters for keylogger or file stealer to harvest files matching extensions *.doc, *.xls, *.ppt, *.rtf, *.pdf, *.docx, *.xlsx, and *.pptx
The malware used in the intrusions has been traced all the way back to 2022, with the threat actor also linked to a broader set of malicious cyber activity aimed at organizations and individuals in Russia and Belarus using phishing emails carrying malicious attachments as a distribution vector.
“Proficiency in Russian and familiarity with local peculiarities are distinctive features of the ForumTroll APT group, traits that we have also observed in its other campaigns,” Larin said. “However, mistakes in some of those other cases suggest that the attackers were not native Russian speakers.”
It’s worth noting that at this stage, Positive Technologies, in a report published in June 2025, also disclosed an identical cluster of activity that involved the exploitation of CVE-2025-2783 by a threat actor it tracks as TaxOff to deploy a backdoor called Trinper. Larin told The Hacker News that the two sets of attacks are connected.
“In several incidents, the LeetAgent backdoor used in Operation ForumTroll directly launched the more sophisticated Dante spyware,” Larin explained.
“Beyond that handoff, we observed overlaps in tradecraft: identical COM-hijacking persistence, similar file-system paths, and data hidden in font files. We also found shared code between the exploit/loader and Dante. Taken together, these points indicate the same actor/toolset behind both clusters.”
Dante, which emerged in 2022 as a replacement for another spyware referred to as Remote Control Systems (RCS), comes with an array of protections to resist analysis. It obfuscates control flow, hides imported functions, adds anti-debugging checks, and nearly every string in the source code is encrypted. It also queries the Windows Event Log for events that may indicate the use of malware analysis tools or virtual machines to fly under the radar.
Once all the checks are passed, the spyware proceeds to launch an orchestrator module that’s engineered to communicate with a C2 server via HTTPS, load other components either from the file system or memory, and remote itself if it doesn’t receive commands within a set number of days specified in the configuration, and erase traces of all activity.
There is currently no information about the nature of additional modules launched by the spyware. While the threat actor behind Operation ForumTroll has not been observed using Dante in the campaign exploiting the Chrome security flaw, Larin said that there is evidence to suggest wider usage of Dante in other attacks. But he pointed out it’s too early to reach any definitive conclusion about scope or attribution.
