Chrome Zero-Day: Exploited to Deploy LeetAgent Spyware Targeting Russian Organizations

| Editorial Team
1

Chrome Zero-Day Exploited to Deliver Italian Spyware LeetAgent

Google Chrome users faced a significant security threat as hackers exploited a zero-day vulnerability to deploy sophisticated spyware developed by Italian firm Memento Labs. The campaign, dubbed "Operation ForumTroll," primarily targeted Russian organizations with phishing emails containing personalized links to a fake forum.

Security researchers at Kaspersky uncovered the operation that leveraged CVE-2025-2783, a critical sandbox escape vulnerability with a CVSS score of 8.3. The flaw allowed attackers to break free from Chrome's security restrictions and install LeetAgent, a previously undocumented espionage tool created by Memento Labs, the company formed from the controversial HackingTeam's merger with InTheCyber Group.

The Attack Chain and Targeted Victims

The attackers employed a sophisticated multi-stage approach targeting specific high-value organizations across Russia and Belarus. Rather than casting a wide net, Operation ForumTroll sent carefully crafted phishing emails to media outlets, universities, research centers, government organizations, and financial institutions.

"This was a targeted spear-phishing operation, not a broad, indiscriminate campaign," explained Boris Larin, principal security researcher at Kaspersky's Global Research and Analysis Team.

The attack began with a validator script checking if visitors to the malicious site were using real browsers. Once confirmed, the exploit for CVE-2025-2783 activated, escaping Chrome's sandbox protection to achieve remote code execution and deploy the LeetAgent loader.

LeetAgent communicated with command-and-control servers over HTTPS, receiving instructions to perform various malicious activities:

  • Execute commands using cmd.exe
  • Run processes
  • Inject shellcode
  • Set communication parameters
  • Change directories
  • Deploy keyloggers
  • Steal files with specific extensions (.doc, .xls, .ppt, .rtf, .pdf, .docx, .xlsx, .pptx)

The attackers demonstrated familiarity with Russian language and cultural nuances, though analysts noted some linguistic errors suggesting they weren't native speakers. This characteristic helped researchers connect Operation ForumTroll to other campaigns.

This case illustrates why robust cybersecurity practices remain essential for organizational defense against sophisticated state-sponsored or commercial spyware threats.

Memento Labs' Surveillance Technology History

Memento Labs' involvement highlights the continuing controversy around commercial spyware vendors selling surveillance tools to government agencies and law enforcement. Formed in 2019, Memento Labs emerged from the merger of InTheCyber Group and HackingTeam, the latter notorious for its surveillance software.

HackingTeam previously suffered a major breach in 2015 when hackers stole and leaked hundreds of gigabytes of internal data, including exploits and tools like VectorEDK, which later became the foundation for a UEFI bootkit called MosaicRegressor.

Further controversy followed in 2016 when Italian export authorities revoked HackingTeam's license to sell outside Europe due to concerns about potential misuse of their surveillance technology.

In response to Kaspersky's findings, Memento Labs CEO Paolo Lezzi confirmed to TechCrunch that the spyware does belong to his company, blaming "one of the company's government customers for exposing an outdated version of the Windows version of Dante." Lezzi stated that Memento now only develops tools for mobile platforms and had previously asked customers to stop using the Windows malware.

The Dante Connection

Researchers established connections between LeetAgent and a more sophisticated spyware called Dante (also known as Trinper), which emerged in 2022 as a replacement for Memento's Remote Control Systems (RCS).

"In several incidents, the LeetAgent backdoor used in Operation ForumTroll directly launched the more sophisticated Dante spyware," Larin explained. "We observed overlaps in tradecraft: identical COM-hijacking persistence, similar file-system paths, and data hidden in font files. We also found shared code between the exploit/loader and Dante."

Dante employs numerous anti-analysis protections:

  • Control flow obfuscation
  • Hidden imported functions
  • Anti-debugging checks
  • Encrypted strings
  • Windows Event Log monitoring for malware analysis tools or virtual machines

The spyware's orchestrator module communicates with command servers via HTTPS, loads additional components, and includes self-destruction capabilities if inactive for a specified period.

Organizations should remain vigilant about various types of malware that can compromise systems, particularly sophisticated tools like those developed by commercial surveillance vendors.

Implications for Cybersecurity

This discovery highlights several critical cybersecurity concerns:

  1. The continued exploitation of zero-day vulnerabilities in popular browsers remains a significant threat vector for targeted attacks.

  2. Commercial spyware technologies developed for law enforcement are being repurposed for malicious espionage campaigns against civilian organizations.

  3. The sophistication of modern spyware tools demonstrates how attackers continue to evolve their capabilities to evade detection and analysis.

Organizations can protect themselves by:

  • Ensuring browsers are updated with the latest security patches
  • Implementing advanced email filtering to detect phishing attempts
  • Training employees to recognize suspicious links
  • Deploying endpoint protection solutions capable of detecting behavioral indicators of compromise

The case also raises important questions about regulation and oversight of commercial spyware vendors, as tools ostensibly developed for legitimate law enforcement purposes continue appearing in malicious campaigns targeting civilian organizations.

This incident serves as another reminder of the growing "surveillance economy" where powerful digital espionage tools can easily fall into the wrong hands, turning technologies meant to protect into weapons for targeted attacks.

Proactive Defense Strategies

Implementing proactive security measures is crucial for defending against zero-day exploits like those used in Operation ForumTroll. Organizations should consider adopting a comprehensive zero-day attack prevention strategy that includes network segmentation, principle of least privilege, and advanced threat detection systems.

Browser isolation technology can provide an additional layer of protection by executing web content in isolated environments, preventing malicious code from reaching endpoint systems even when zero-days are exploited. Additionally, threat intelligence sharing between organizations and security vendors can help identify emerging threats before they can cause widespread damage.

For Chrome users specifically, enabling site isolation features and implementing enterprise policies that restrict browser extensions can significantly reduce the attack surface exploitable by malicious actors. According to the CISA guidelines on browser security, regularly validating security configurations and implementing content security policies can substantially improve resilience against browser-based attacks.

Editorial Team
You might also like

AI Search Visibility: Strategies for Business Success in 2025

LinkedIn Launches Job Ad Library: Enhancing Transparency in Recruitment Practices

Understanding Internet of Things (IoT): What is IoT, and how does it benefit…

AI Usage: Addressing Data Leakage Challenges in Organizations Through Enhanced…

Workday Cybersecurity Breach: Addressing Rising Social Engineering Threats to CRM…

Google Integrates AI Mode Traffic: Key Changes to Search Console Performance Reports