Kaspersky uncovered a sophisticated espionage campaign called Operation ForumTroll, exploiting a zero-day vulnerability in Google Chrome to deliver commercial spyware linked to Memento Labs. The campaign involved personalized phishing emails targeting Russian organizations, leveraging advanced exploits and stealth techniques to infect victims. #OperationForumTroll #LeetAgent #Dante #MementoLabs #ChromeZeroDay
Keypoints
- The campaign exploited a previously unknown Chrome zero-day (CVE-2025-2783) to bypass sandbox protections.
- Phishing emails were highly personalized and targeted organizations across Russia, including government and research institutions.
- Attackers used a multi-stage loader chain and COM hijacking to deploy the spyware payload stealthily.
- The malware, named LeetAgent, performed remote commands, keylogging, and document exfiltration via encrypted C2 communication.
- Kaspersky linked the campaign to Memento Labsβ commercial spyware Dante, indicating state-aligned espionage activities.