Operation ForumTroll: The One-Click Chrome Zero-Day That Redefined Cyber Risk

Threat at a Glance

• Vulnerability: CVE-2025-2783 – Google Chrome Sandbox Escape

• Campaign: Operation ForumTroll

• Threat Actor: APT linked to Dante/LeetAgent spyware family

• Attack Vector: One-click link → sandbox escape → spyware install

• Impact: Full endpoint compromise via browser

• Fix: Update Chrome (October 2025 security patch)

What Happened?

In March 2025 Kaspersky’s team detected a surge of targeted infections they named Operation ForumTroll. The campaign relied on straightforward spear-phishing: personalized emails containing very short-lived links that invited recipients to the Primakov Readings forum. When a victim opened one of those links in Google Chrome (or another Chromium-based browser), no additional clicks or downloads were necessary.The vulnerability exploited in these attacks was confirmed as CVE-2025-2783, a Chrome sandbox escape that allowed the attacker to break out of the browser’s renderer process and run code with greater privileges on the endpoint. The payload was identified as a variant of advanced spyware, referred to by researchers as LeetAgent or connected to the Dante spyware family.

Attribution and Capabilities

•  The group’s tradecraft included personalized phishing domains, short-lived URLs, and a multi-stage payload delivery mechanism designed to minimize detection.
• Memento Labs’ telemetry analysis linked ForumTroll’s payloads to the Dante/LeetAgent spyware through shared code traits, suggesting a well-resourced threat actor with strong development capabilities.
• The operation has been attributed to a sophisticated APT-style actor tracked as ForumTroll by Kaspersky.

Why This Matters

• Browser sandbox escape: The sandbox in Chrome is a foundational security barrier. Its bypass significantly raises risk for endpoint compromise.

• Low user-interaction needed: Unlike traditional attacks requiring downloads or attachments, this chain works via clicking a link—making it harder to detect and defend against.

• High-value organisations are on target: Media, education and government sectors are traditionally harder to defend and more attractive to espionage actors.

• Pervasive browser usage: Chrome has billions of users worldwide, so any widespread exploit poses serious global risk.

Why it’s particularly dangerous

The Operation ForumTroll campaign stands out for its low user interaction and high technical impact. Exploiting CVE-2025-2783 required no authentication or file download—just clicking a link in Chrome or any Chromium-based browser was enough to compromise the system.

Within days of discovery, exploit code and proof-of-concept samples began circulating on underground forums, greatly lowering the barrier for mass exploitation. This means even less sophisticated actors could potentially repurpose the exploit for widespread campaigns, turning a targeted espionage tool into a mainstream cyber threat.

Government & Industry response

The disclosure and active exploitation of the Chrome zero-day triggered an immediate and coordinated response from both government and industry:

• Google released a security patch for CVE-2025-2783 and urged all users to update Chrome immediately.
• National CSIRTs and agencies including CISA (US), CERT-IN (India), and ENISA (EU) issued alerts recommending urgent patching and browser version validation across enterprises.
• Media coverage from sources like Forbes and The Hacker News highlighted that active exploitation had begun weeks before disclosure, expanding the potential exposure window.
• Security vendors such as Kaspersky and Memento Labs published detailed technical analyses, IOCs, and detection guidance to help defenders identify signs of compromise.

How Organizations Can Respond

To mitigate the risks posed by this critical vulnerablity, organizations should consider the following measures:

• Update Chrome immediately: Ensure all endpoints have the latest version and verify that the fix for CVE-2025-2783 (or related) is applied. Reduce browser attack surface: Limit browser extensions to only approved ones, disable unnecessary features (e.g., native messaging) and restrict renderer privileges. Network monitoring & URL reputation: Block and monitor for suspicious domains, especially short-lived redirection domains used in the campaign.
• Endpoint detection tuning: Monitor for anomalous processes spawned from browser processes, signs of sandbox escape, and unusual network behavior after link opens.
• Threat hunting: Search logs for known IOCs (malicious domains, URLs) associated with this campaign. Use telemetry to hunt for indicators published by Kaspersky.
• User awareness/training: Conduct phishing simulations emphasising link-only threats, remind users of verifying sender context before clicking links—even if from seemingly legitimate sources.

Final Word

Operation ForumTroll serves as a stark reminder that browsers—once treated simply as application tools—are now primary attack surfaces. A zero-day exploit that bypasses the sandbox of Chrome and requires only a link click fundamentally alters defensive assumptions. The key takeaway: defence must assume that any browser interaction can become a full host compromise. Patch quickly, harden browser and email controls, and invest in visibility and detection beyond traditional file-based defences.

One click was all it took — stay patched, stay vigilant

References

• Securelist — Mem3nt0 mori – The Hacking Team is back
  https://securelist.com/forumtroll-apt-hacking-team-dante-spyware/117851

• Chrome Zero-Day Exploited to Deliver Italian Memento Labs’ LeetAgent Spyware
  https://thehackernews.com/2025/10/chrome-zero-day-exploited-to-deliver.html

• Hackers Target Google Chrome Security Sandbox with 0 day attack
  https://www.forbes.com/sites/daveywinder/2025/10/27/hackers-target-google-chrome-security-sandbox-with-0day-attack/