Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

Operation ForumTroll: Italian Spyware Vendor Linked to Chrome Zero-Day Attacks


Italian spyware vendor Memento Labs has been linked to Operation ForumTroll, a campaign that exploited critical vulnerabilities in Google Chrome to deliver malware to Russian organizations. Kaspersky researchers have attributed the attack to Memento Labs with high confidence, but the author of the zero-day vulnerability remains unknown.

  • Memento Labs has been linked to a series of Chrome zero-day attacks, including Operation ForumTroll.
  • The attack chain used in Operation ForumTroll exploited CVE-2025-2783, a sandbox escape zero-day in the Google Chrome browser.
  • LeetAgent is a modular spyware that supports command execution, file operations, keylogging, and data theft, with potential commercial use.
  • Memento Labs' involvement in Operation ForumTroll has raised concerns about the use of zero-day vulnerabilities in Chrome browser exploits.
  • The incident highlights the ongoing threat landscape and the importance of staying vigilant with software updates and security measures.


    • Italian spyware vendor Memento Labs has been linked to a series of Chrome zero-day attacks, including Operation ForumTroll, a campaign that targeted Russian organizations and exploited a critical vulnerability in the Google Chrome browser.

    The attack chain used in Operation ForumTroll was uncovered by Kaspersky researchers, who found that the malware delivery was done by exploiting CVE-2025-2783, a sandbox escape zero-day in the Chrome browser. The attackers sent phishing emails with personalized links to malicious sites, which filtered visitors to ensure only targets of interest were compromised.

    Once the victim's browser process was infected, a persistent loader was installed to inject a malicious DLL, which decrypted the main payload called LeetAgent, a modular spyware that supports command execution, file operations, keylogging, and data theft. LeetAgent is unique for its use of leetspeak in command implementation, and Kaspersky researchers believe it may be a commercial spyware tool.

    The researchers traced the use of LeetAgent to attacks in 2022 against targets in Russia and Belarus, where Dante was used as a complementary module. Due to code similarities with Hacking Team's RCS malware, Kaspersky researchers have high confidence in attributing the tools to Memento Labs.

    Dante is a modular spyware that retrieves components from a command-and-control (C2) server. If no communication is received from the attacker's server for a specified number of days, the malware "deletes itself and all traces of its activity." The specific features and capabilities of the Dante spyware remain undocumented due to lack of analysis modules.

    The discovery of Memento Labs' involvement in Operation ForumTroll has raised concerns about the use of zero-day vulnerabilities in Chrome browser exploits. Chrome fixed CVE-2025-2783 in version 134.0.6998.178, released on March 26, and Mozilla also addressed the issue in Firefox, tracked as CVE-2025-2857, in version 136.0.4 of the browser.

    Kaspersky has attributed the advanced spyware to Memento Labs with high confidence, but the author of the Chrome sandbox-escape zero-day could be a different entity. BleepingComputer has contacted Memento Labs for a comment on Kaspersky's findings, but did not receive a response by publishing time.

    The incident highlights the ongoing threat landscape in the cybersecurity world, where zero-day vulnerabilities are constantly being exploited to deliver malware and spyware. As organizations continue to rely on cloud-based applications and services, it is essential to stay vigilant and keep software up-to-date with the latest security patches.

    In addition, the discovery of Memento Labs' involvement in Operation ForumTroll serves as a reminder of the importance of using reputable antivirus software and regular security scans to detect and remove malware from infected systems. It also emphasizes the need for organizations to implement robust security measures, such as intrusion detection systems (IDS) and incident response plans, to mitigate the impact of future attacks.

    Overall, the revelation that Memento Labs is behind Operation ForumTroll marks a significant development in the ongoing battle against cyber threats. As cybersecurity professionals and individuals, it is crucial to stay informed about emerging threats and take proactive measures to protect ourselves and our organizations from falling prey to sophisticated attacks like this one.

    Related Information:
  • https://www.ethicalhackingnews.com/articles/Operation-ForumTroll-Italian-Spyware-Vendor-Linked-to-Chrome-Zero-Day-Attacks-ehn.shtml

  • https://www.bleepingcomputer.com/news/security/italian-spyware-vendor-linked-to-chrome-zero-day-attacks/

  • https://www.securityweek.com/chrome-zero-day-exploitation-linked-to-hacking-team-spyware/

  • https://www.kaspersky.com/blog/forumtroll-dante-leetagent/54670/

  • https://www.bleepingcomputer.com/news/security/tiktok-videos-continue-to-push-infostealers-in-clickfix-attacks/

  • https://www.bleepingcomputer.com/startups/3484/N_A/

  • https://www.socinvestigation.com/comprehensive-list-of-apt-threat-groups-motives-and-attack-methods/

  • https://security.muni.cz/en/articles/hacker-elites-how-the-most-dangerous-apt-groups-operate


    • Published: Mon Oct 27 13:19:38 2025 by llama3.2 3B Q4_K_M


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us