Chrome Zero-Day Exploitation Linked to Hacking Team Spyware

The exploitation of the first Chrome zero-day of 2025 is linked to tools used in attacks involving Hacking Team’s new spyware, Kaspersky reports.

The exploited Chrome vulnerability, tracked as CVE-2025-2783 and described as a sandbox escape issue, was caught in the wild in a sophisticated cyberespionage campaign attributed to a state-sponsored APT. Firefox was affected by a similar flaw, tracked as CVE-2025-2857.

Dubbed Operation ForumTroll, the campaign targeted education, finance, government, media, research, and other organizations in Russia and used phishing emails masquerading as forum invitations to deliver personalized, short-lived links taking victims to websites containing the exploit for CVE-2025-2783.

The code was designed to validate the user, bypass Chrome’s sandbox, and execute shellcode, leading to the installation of a malware loader. To achieve persistence, the code placed new entries in the user registry to hijack Windows’s search order for COM objects.

In Operation ForumTroll, the final payload was LeetAgent, a piece of spyware written in leetspeak that could receive commands over HTTPS, log keystrokes, and steal files, Kaspersky explains in a fresh report.

Based on commands received from its command-and-control (C&C) server – hosted on Fastly.net cloud infrastructure – the spyware could execute commands in the command prompt, execute processes, inject shellcode, and read/write files.

LeetAgent has been used since at least 2022 in attacks targeting organizations in Russia and Belarus, and, in some instances, has been used to deploy a more sophisticated spyware family, developed by the Italian company Memento Labs (formerly Hacking Team – or HackingTeam).

Founded in 2003, Hacking Team is best known for the Remote Control Systems (RCS) spyware, which was popular among governments worldwide. Following the leak of internal data in 2015, Hacking Team was acquired by InTheCyber Group in 2019, and rebranded Memento Labs.

Memento’s new surveillance tool, named Dante, shares multiple similarities with RCS, which was also known as Da Vinci, and shows a focus on evading detection and analysis.

It relies on an orchestrator that loads modules downloaded and stored locally. The orchestrator too packs anti-analysis capabilities and performs various checks on the infected system. If the spyware does not receive commands from the C&C within a specified period, it deletes itself from the system.

According to Kaspersky, the threat actor behind Operation ForumTroll was not observed using Dante in this campaign, but used it in other attacks that employed the same toolset.

“Notably, we saw several minor similarities between this attack and others involving Dante, such as similar file system paths, the same persistence mechanism, data hidden in font files, and other minor details. Most importantly, we found similar code shared by the exploit, loader, and Dante,” Kaspersky notes.