The notorious Mem3nt0 mori hacker group has been actively exploiting a zero-day vulnerability in Google Chrome, compromising high-profile targets across Russia and Belarus.
Dubbed CVE-2025-2783, this flaw allowed attackers to bypass Chrome’s robust sandbox protections with minimal user interaction, leading to the deployment of sophisticated spyware.
Discovered by Kaspersky researchers in March 2025, Google swiftly patched the vulnerability, but not before infections spread through personalized phishing campaigns mimicking invitations to the prestigious Primakov Readings forum.
| CVE ID | Description | CVSS Score | Affected Versions | Patch Version | Impact |
|---|---|---|---|---|---|
| CVE-2025-2783 | Incorrect handle validation in Mojo IPC leading to sandbox escape on Windows | 9.8 (High) | Chrome < 134.0.6998.177 | 134.0.6998.177/.178 | Arbitrary code execution, espionage via spyware deployment |
The attacks, part of an operation Kaspersky named ForumTroll, targeted media outlets, universities, government agencies, and financial institutions, underscoring the group’s focus on intelligence gathering.
Victims received impeccably crafted emails in Russian, luring them to malicious sites that triggered the exploit upon visit no downloads or clicks beyond the initial link were needed.
This drive-by infection chain exploited Chrome’s Mojo inter-process communication system, a critical component for handling data between browser processes on Windows.
The vulnerability stemmed from a subtle oversight: Chrome’s code failed to properly validate pseudo-handles like -2 (for the current thread), enabling attackers to dupe the system into duplicating handles across sandbox boundaries.
This logical flaw, rooted in outdated Windows optimizations, allowed shellcode execution in the privileged browser process, paving the way for malware persistence.
Unraveling The Attack Chain
The infection progressed in carefully designed stages, as reconstructed by Kaspersky’s Global Research and Analysis Team (GReAT).
It began with a phishing email validator script that used WebGPU to confirm a genuine browser visit, thwarting automated scanners.
If validated, an elliptic-curve Diffie-Hellman key exchange decrypted the next payload, hidden in innocuous files like JavaScript bundles and fonts.
Although the remote code execution (RCE) exploit evaded capture, the sandbox escape via CVE-2025-2783 was pivotal: it hooked functions in Chrome’s V8 inspector and ipcz library to relay thread handles, suspending and hijacking the browser process to inject a persistent loader.
This loader employed COM hijacking, overriding Windows registry entries for legitimate components like twinapi.dll to ensure malware execution in processes such as rdpclip.exe.
The payload, obfuscated with OLLVM and encrypted via a modified ChaCha20, decrypted into LeetAgent a rare spyware using leetspeak commands for tasks like keylogging, file theft (targeting docs, PDFs, and spreadsheets), and process injection.
Configuration arrived over HTTPS from C2 servers on Fastly.net, with extensive traffic obfuscation hinting at commercial origins.
Kaspersky traced LeetAgent’s debut to 2022, linking it to broader ForumTroll campaigns involving malicious attachments like ISO files and LNK shortcuts disguised as partnership invitations.
Deeper analysis revealed that LeetAgent’s loader shared code with Dante, an elusive commercial spyware from the Italian firm Memento Labs, rebranded from the infamous Hacking Team in 2019.
Dante, unveiled at the 2023 ISS World conference, packed VMProtect obfuscation, anti-debugging via event log queries for VM artifacts, and dynamic API resolution to evade hooks.
Its orchestrator managed modules encrypted with AES-256, using machine-bound keys from CPU IDs and product keys, stored in Base64-named folders under %LocalAppData%.
Kaspersky confirmed overlaps in persistence, font-hidden data, and exploit code, attributing ForumTroll’s toolkit to Memento Labs despite the vendor’s “start from scratch” promises.
This discovery highlights the shadowy spyware market’s resilience, where tools like Dante potentially nodding to Hacking Team’s “Da Vinci” via Dante Alighieri’s infernal journeys persist in APT hands.
Firefox patched a similar IPC flaw as CVE-2025-2857 shortly after. Experts warn of lingering pseudo-handle risks in other software.
For protection, update Chrome to 134.0.6998.177 or later, enable enhanced safe browsing, and monitor for IOCs like suspicious Base64 folders.
As Mem3nt0 mori evolves, vigilance against phishing remains paramount in this cat-and-mouse game of digital shadows.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
