Cybersecurity

A zero-day vulnerability, identified as CVE-2025-2783, has been exploited by the Mem3nt0 mori hacker group, impacting high-profile targets in Russia and Belarus. The vulnerability allowed attackers to bypass Google’s Chrome sandbox protections, leading to spyware deployment.

Initially discovered by Kaspersky researchers in March 2025, the vulnerability was promptly patched by Google. However, it had already facilitated infections through phishing campaigns disguised as invitations to the Primakov Readings forum.

Technical Details

The vulnerability involved improper handle validation in Chrome’s Mojo IPC, leading to a sandbox escape on Windows systems. The flaw, rated with a CVSS score of 9.8 (High), affected Chrome versions prior to 134.0.6998.177. The patch versions are 134.0.6998.177/.178. The impact included arbitrary code execution and espionage via spyware deployment.

The attack, named ForumTroll by Kaspersky, targeted media outlets, universities, government agencies, and financial institutions. Victims received phishing emails in Russian, directing them to malicious sites that executed the exploit without further user interaction.

Vulnerability Analysis

The attack exploited Chrome’s Mojo inter-process communication system, a critical component for data handling between browser processes on Windows. The vulnerability stemmed from Chrome’s failure to properly validate pseudo-handles, allowing attackers to duplicate handles across sandbox boundaries.

Unraveling The Attack Chain

The infection chain progressed through several stages. It began with a phishing email validator script that used WebGPU to confirm a genuine browser visit, thwarting automated scanners. If validated, an elliptic-curve Diffie-Hellman key exchange decrypted the payload, hidden in JavaScript bundles and fonts.

Although the remote code execution exploit evaded capture, the sandbox escape via CVE-2025-2783 was pivotal. It manipulated Chrome’s V8 inspector and ipcz library functions, suspending and hijacking the browser process to inject a persistent loader.

The loader used COM hijacking, modifying Windows registry entries for legitimate components to ensure malware execution. The payload, obfuscated with OLLVM and encrypted with a modified ChaCha20, decrypted into LeetAgent, a spyware capable of keylogging, file theft, and process injection.

LeetAgent’s configuration was delivered over HTTPS from C2 servers, with traffic obfuscation suggesting commercial origins. Kaspersky traced LeetAgent’s debut to 2022, linking it to wider ForumTroll campaigns.

Security Recommendations

Users are advised to update Chrome to version 134.0.6998.177 or later, enable enhanced safe browsing, and monitor for indicators of compromise, such as suspicious Base64 folders. Vigilance against phishing remains crucial.