New research from Kaspersky has uncovered a cyber espionage campaign that exploited a patched zero-day security vulnerability in Google Chrome to deliver sophisticated hacking tools created by the Italian firm, Memento Labs. The flaw, tracked as CVE-2025-2783 (CVSS score: 8.3), was a sandbox escape that Google disclosed in March 2025, noting its active exploitation in a series of attacks dubbed Operation ForumTroll.
This campaign, which has been active since at least February 2024 and is also tracked under names like TaxOff/Team 46 and Prosperous Werewolf, specifically targeted organizations within Russia. The infection chain began with personalized spear-phishing emails containing short-lived links to a fake “Primakov Readings forum.” Simply clicking these links in Chrome or any Chromium-based browser would trigger the exploit, allowing attackers to break out of the browser’s security sandbox and deploy Memento Labs’ espionage tools.
Memento Labs, headquartered in Milan, was established in 2019 through the merger of InTheCyber Group and the infamous HackingTeam. HackingTeam had a long history of selling offensive surveillance and intrusion software to governments and law enforcement agencies globally. However, the company suffered a major setback in 2015 when a massive hack leaked hundreds of gigabytes of internal data, including their exploits and tools. This leak even contributed to the foundation of the MosaicRegressor UEFI bootkit.
Furthermore, in April 2016, Italian authorities revoked HackingTeam’s license to sell its technology outside of Europe. The most recent wave of attacks documented by Kaspersky targeted a wide range of Russian entities, including media outlets, universities, research centers, government organizations, and financial institutions, confirming the operation’s primary goal was espionage.According to Boris Larin, a principal security researcher at Kaspersky GReAT, this was a highly targeted spear-phishing operation, not a random, broad attack. The lures were meticulously crafted and aimed at specific individuals and organizations in both Russia and Belarus.
Notably, these intrusions have been found to deploy a previously undocumented piece of spyware developed by Memento Labs, which Kaspersky named LeetAgent, due to its use of leetspeak in its command structure. The infection process begins with a validator script to confirm the target is a genuine user before leveraging the Chrome vulnerability to execute the sandbox escape.
This allows the attackers to achieve remote code execution and drop a loader responsible for launching LeetAgent, which is capable of connecting to a command-and-control (C2) server over HTTPS.Once active, LeetAgent can receive and execute a wide range of instructions, allowing it to perform various espionage-related tasks. These commands include running system commands via $\text{cmd.exe}$, executing new processes, reading and writing files, injecting shellcode, changing communication parameters, and even setting up jobs for a keylogger or a file stealer. The file stealer is specifically configured to harvest documents with extensions like $\text{.doc, .xls, .ppt, .pdf, .docx, .xlsx,}$ and $\text{.pptx}$. This malware has been traced back to 2022, and the threat actor behind it is also associated with broader malicious activity in the region using phishing emails with malicious attachments.
Larin noted that the attackers show proficiency in Russian and familiarity with local peculiarities, though some mistakes in earlier campaigns suggest they may not be native Russian speakers.Further analysis confirmed a connection between the ForumTroll attacks and another cluster disclosed by Positive Technologies in June 2025, which involved the same Chrome exploit to deploy a backdoor called Trinper. Larin explained that in several incidents, the LeetAgent backdoor used in Operation ForumTroll directly launched the more sophisticated Dante spyware.
Dante, a replacement for the older Remote Control Systems (RCS), is packed with anti-analysis features, including control flow obfuscation, string encryption, and anti-debugging checks. The overlaps in tradecraft—such as identical COM-hijacking persistence, similar file paths, data hidden in font files, and shared code between the exploit and Dante—all strongly indicate the same actor and toolset are behind both the ForumTroll and Dante clusters of attacks.
Reference:
