A zero-day exploit of a patched security flaw in Google Chrome led to the distribution of spying tools from Italian information technology and services provider Memento Labs, according to new findings from Kaspersky Lab.
The vulnerability in question is CVE-2025-2783 (CVSS score: 8.3), which the company disclosed in March 2025 as being actively exploited as part of a campaign called Operation ForumTroll targeting Russian organizations. This cluster is also tracked as TaxOff/Team 46 by Positive Technologies and Prosperous Werewolf by BI.ZONE. It is known to have been active since at least February 2024.
The infection wave involved sending phishing emails with personalized short-term links inviting recipients to the Primakov Reading Forum. Simply clicking a link through a Google Chrome or Chromium-based web browser triggers the CVE-2025-2783 exploit, which allows an attacker to breach the scope of the program and distribute tools developed by Memento Labs.
Headquartered in Milan, Memento Labs (also known as mem3nt0) was founded in April 2019 following the merger of InTheCyber Group and HackingTeam (also known as Hacking Team). HackingTeam (also known as Hacking Team) has a history of selling offensive intrusion and surveillance capabilities to governments, law enforcement agencies, and businesses, including creating spyware designed to monitor the Tor browser.
Most notably, the notorious surveillance software vendor was hacked in July 2015, exposing hundreds of gigabytes of internal data, including tools and exploits. This included an Extensible Firmware Interface (EFI) development kit called VectorEDK, which later became the basis for the UEFI bootkit known as MosaicRegressor. In April 2016, the company fell into further trouble when Italian export authorities revoked its license to sell outside Europe.
In the latest series of attacks documented by a Russian cybersecurity vendor, lures targeted media outlets, universities, research centers, government agencies, financial institutions, and other organizations in Russia, primarily for espionage purposes.
“This was a targeted spear-phishing operation, not a large-scale, indiscriminate campaign,” Boris Larin, chief security researcher at Kaspersky Global Research and Analysis Team (GReAT), told Hacker News. “We observed multiple intrusions against Russian and Belarusian organizations and individuals by decoys targeting Russian and Belarusian media outlets, universities, research centers, government agencies, and financial institutions.”
Most notably, this attack was found to have paved the way for previously undocumented spyware called LeetAgent, developed by Memento Labs, because it uses leetpeak for commands.
The starting point is the validation phase. It is a small script executed by the browser to check whether a visitor to a malicious site is a genuine user using a real web browser, and then leverages CVE-2025-2783 to detonate a sandbox escape, achieve remote code execution, and drop the loader responsible for starting LeetAgent.
The malware can connect to a command and control (C2) server via HTTPS and receive instructions that allow it to perform a wide range of tasks.
0xC033A4D (COMMAND) – Executes a command using cmd.exe 0xECEC (EXEC) – Executes a process 0x6E17A585 (GETTASKS) – Gets a list of tasks that the agent is currently running 0x6177 (KILL) – Stops a task 0xF17E09 (FILE \x09) – File Write to 0xF17ED0 (FILE\xD0) – Read the file 0x1213C7 (INJECT) – Insert shellcode 0xC04F (CONF) – Set communication parameters 0xD1E (DIE) – Exit 0xCD (CD) – Change current working directory 0x108 (JOB) – Extension Configure keylogger or file stealer parameters to collect files matching *.doc, *.xls, *.ppt, *.rtf, *.pdf, *.docx, *.xlsx, and *.pptx
The malware used in the intrusion was tracked back to 2022, and the attacker was also involved in a wide range of malicious cyber operations targeting organizations and individuals in Russia and Belarus using phishing emails containing malicious attachments as distribution vectors.
“Proficiency in the Russian language and familiarity with local peculiarities are the distinguishing characteristics of the ForumTroll APT group, characteristics that have also been observed in other campaigns,” Larin said. “However, mistakes in several other incidents suggest that the attackers were not native speakers of Russian.”
At this stage, it is worth noting that Positive Technologies, in a report published in June 2025, also revealed an identical cluster of activity involving the exploitation of CVE-2025-2783 by a threat actor it tracks as TaxOff to deploy a backdoor called Trinper. Larin told Hacker News that the two sets of attacks are related.
“In some incidents, the LeetAgent backdoor used in Operation ForumTroll directly launched more sophisticated Dante spyware,” Larin explained.
“Aside from handoffs, we observed tradecraft overlap, including identical COM hijack persistence, similar file system paths, and data hidden in font files. We also found shared code between the exploit/loader and Dante. Taken together, these points point to the same actor/toolset behind both clusters.”
Dante debuted in 2022 as an alternative to another spyware called Remote Control System (RCS), with a set of protections to prevent analysis. It obfuscates control flow, hides imported functions, adds anti-debugging checks, and almost every string in your source code is encrypted. Also, query the Windows event log for events that might indicate malware analysis tools or virtual machines being used under the radar.
If all checks pass, the spyware proceeds to launch an orchestrator module designed to communicate with the C2 server via HTTPS, load other components from the file system or memory, and if no commands are received within the number of days specified in the configuration, the spyware makes itself remote and erases traces of all activity.
At this time, there is no information regarding the nature of the additional modules launched by the spyware. Although the attackers behind Operation ForumTroll have not been observed using Dante in campaigns that exploit security flaws in Chrome, Larin said there is evidence to suggest Dante is being used more widely in other attacks. But he noted that it was too early to reach any final conclusions about scope or attribution.
Source link
