A newly‐revealed zero-day vulnerability in Google Chrome (CVE-2025-2783) has been actively exploited to deliver sophisticated spyware developed by Memento Labs (formerly the controversial Hacking Team), according to reports by multiple cybersecurity firms. The campaign, dubbed Operation ForumTroll, targeted high-profile organisations in Russia and Belarus via personalised spear-phishing emails offering fake invites (e.g., to the “Primakov Readings” forum). Without any user download, merely visiting a link in Chrome triggered the exploit, bypassing the browser’s sandbox and enabling installation of a loader which deployed the spyware tool called LeetAgent — capable of file-stealing, keylogging, shell-injection and launching a more advanced commercial implant known as Dante. The connection to Memento Labs also suggests a resurgence of the old Hacking Team ecosystem operating in the shadows of commercial spyware supply chains.
Sources: Hacker News, Kaspersky
Key Takeaways
– The exploit CVE-2025-2783 allowed remote sandbox escape in Chrome on Windows prior to version 134.0.6998.177, enabling attackers to execute code in the browser process.
– The delivery mechanism relied on highly-targeted phishing emails carrying short-lived links; victims simply clicked and got compromised, no attachment required.
– The spyware burden includes LeetAgent (modular backdoor) and Dante (commercial-grade implant by Memento Labs), signaling a blending of state-level espionage and commercial spyware supply.
In-Depth
The year 2025 has once again demonstrated that web browsers, long assumed to be fairly hardened endpoints, remain high-value attack surfaces for adversaries willing to exploit zero-day vulnerabilities. The recent revelation of CVE-2025-2783 underscores this reality in dramatic fashion: this zero-day affects Google Chrome on Windows, specifically a sandbox escape via its Mojo IPC system, where an “incorrect handle” in a certain context allowed a malicious actor to break out of the browser’s heavily-restricted sandbox environment (per the NVD summary). That alone would be noteworthy; but what makes this incident critical is how the exploit has been weaponised in a targeted campaign featuring espionage-class tooling and a resurrected spyware vendor.
According to analysed intelligence from the cybersecurity community, the campaign labelled Operation ForumTroll targeted Russian and Belarusian media outlets, government institutions, universities, financial organisations and research centres. Attackers posed as organisers of a forum (the “Primakov Readings”), sending personalised spear-phishing emails with short-lived malicious URLs. When clicked in Chrome (or a Chromium-based browser), the exploit triggered automatically—no file download, no user consent beyond click-through. From there, a loader was executed which dropped the modular spyware called LeetAgent, developed in leetspeak style (hence its name). LeetAgent supports commands to execute shell processes, inject code, write/read arbitrary files (.doc, .xls, .ppt, etc.), kill tasks, and more – essentially giving full remote-control capability over the infected device.
What raises the stakes further is the discovered link between LeetAgent and a more advanced commercial spyware implant called Dante, produced by Memento Labs, the rebranded successor to Hacking Team. Researchers found shared code, shared persistence mechanisms (such as COM hijacking, file paths, font-file hiding), and overlapping exploit/loader modules, suggesting the same underlying toolkit was used for multiple campaigns. The ability of Dante to evade detection — via VMProtect, encrypted modules loaded memory‐only, self-destruct features, sandbox/VM checks — indicates that adversaries are increasingly leveraging commercialised spyware rather than purely bespoke nation-state malware.
From a conservative standpoint, this development underscores two critical priorities: first, the need for robust patch discipline at organisational endpoints (and awareness that even clicking a link can lead to compromise); and second, the broader risk posed by the commercial spyware market, which enables multiple actors (state and non-state) to obtain advanced intrusion tools that were once the exclusive preserve of intelligence services. That combination makes browser zero-days especially dangerous: the attack surface is large, updates may lag, and sandbox escapes leave limited mitigation options once triggered.
Organisations should immediately ensure Chrome is updated beyond version 134.0.6998.177 (or its stable-channel successors), that endpoint detection tools are configured to monitor unusual browser-process behaviour (especially handle duplication, COM registration changes, font‐file anomalies, new HTTPS C2 channels), and that phishing defences are strengthened—not just for generic blasts but for high-craft personalised campaigns. In addition, corporate security teams should inspect for indicators of compromise related to LeetAgent or Dante (many have been published by Kaspersky) and treat any detection as a potential espionage incident rather than mere malware infection.
In the broader policy context, the commercial spyware supply chain merits scrutiny: when firms like Memento Labs (a reincarnation of Hacking Team) can distribute tools that end up in espionage campaigns targeting governments and research institutions, it raises questions about regulation, export controls, and vendor accountability. Conservative security policy would advocate for stricter regulation of spyware vendors, transparent chains of custody, and the imposition of liability when tools are misapplied.
In sum, the exploitation of the Chrome zero-day CVE-2025-2783 to deliver espionage-capable spyware is a wake-up call: no organisation is immune solely because it uses a mainstream browser; and the proliferation of commercial spyware means that sophisticated attacks are more accessible than ever. Vigilance, patching, filtering, user-education and threat-hunting remain indispensable. With threat actors becoming ever more agile and modular in their toolsets, the defence posture must keep pace—lest clicks turn into full system compromise.