A recent analysis by Kaspersky Lab revealed that a zero-day exploit (CVE-2025-2783) in Google Chrome was utilized in a targeted attack involving spying tools from the Italian firm Memento Labs. This vulnerability, with a CVSS score of 8.3, has been part of ongoing cyber operations called Operation ForumTroll that target Russian organizations since early 2024.
The attacks typically involved phishing emails inviting recipients to the Primakov Reading Forum, where clicking the links would exploit the vulnerability to distribute malware, including an undocumented spyware called LeetAgent. This spyware communicates with a command and control server to execute various malicious commands, such as file reading, task management, and the configuration of keyloggers.
Memento Labs, resulting from a merger of InTheCyber Group and HackingTeam, has a history of creating surveillance software, with past incidents of exposure due to hacking activities. Kaspersky’s research indicates that the attackers displayed proficiency in Russian and shared characteristics with other threat groups, suggesting a common origin for these cyber operations.
Further investigation found that the exploit’s deployment was linked to another threat actor, TaxOff, which used the vulnerability to introduce a backdoor called Trinper. There are overlapping methods between the attacks, indicating they may stem from the same group. Notably, another spyware variant named Dante, which emerged in 2022, has also been noted for its sophisticated protective measures against analysis.
Source link
