Ethical Hacking News
Cybersecurity researchers have discovered a new type of malware called LeetAgent that exploits a zero-day vulnerability in Google Chrome to deliver its payload. This malware is part of a broader campaign dubbed Operation ForumTroll that targets organizations in Russia and Belarus. The attack highlights how attackers are leveraging sophisticated spyware to carry out targeted spear-phishing operations.
The latest vulnerability exploitation vector is an Italian Memento Labs' LeetAgent spyware, leveraging a zero-day exploit in Google Chrome to deliver its payload. The attack targets organizations in Russia and Belarus as part of Operation ForumTroll, a targeted spear-phishing operation. The zero-day vulnerability exploited is CVE-2025-2783 with a CVSS score of 8.3. Phishing emails containing personalized links were sent to invite recipients to the Primakov Readings forum, triggering the exploit and enabling attackers to deliver LeetAgent malware. LeetAgent is capable of connecting to a C2 server over HTTPS and receiving instructions to perform tasks such as running commands using cmd.exe or executing processes. The malware has been linked to other attacks in Russia and Belarus, including TaxOff, which used a different exploit to deploy a backdoor called Trinper. Dante, another spyware, emerged in 2022 with protections to resist analysis, but its connection to Operation ForumTroll is not yet clear.
In a worrisome turn of events, the latest vulnerability exploitation vector to gain traction on the cyber threat landscape has proven to be an Italian Memento Labs' LeetAgent spyware. This malware, which leverages a zero-day exploit in Google Chrome to deliver its payload, is part of a broader campaign dubbed Operation ForumTroll that targets organizations in Russia and Belarus. According to Kaspersky Global Research and Analysis Team (GReAT) principal security researcher Boris Larin, this was a targeted spear-phishing operation, not a broad, indiscriminate campaign.
The zero-day vulnerability exploited by the LeetAgent spyware is CVE-2025-2783, which has a CVSS score of 8.3. This case of sandbox escape allows attackers to break out of Chrome's confined environment and deliver tools developed by Memento Labs. It appears that this exploit was being actively used as part of Operation ForumTroll since at least February 2024.
The wave of infections involved sending phishing emails containing personalized, short-lived links inviting recipients to the Primakov Readings forum. Clicking these links through Google Chrome or a Chromium-based web browser would trigger an exploit for CVE-2025-2783, enabling attackers to deliver tools developed by Memento Labs. The attackers used a validator phase that checked if the visitor was a genuine user with a real web browser before leveraging the vulnerability to achieve remote code execution and drop a loader responsible for launching LeetAgent.
The malware, LeetAgent, is capable of connecting to a command-and-control (C2) server over HTTPS and receiving instructions that allow it to perform a wide range of tasks. This includes 0xC033A4D (COMMAND), which runs commands using cmd.exe; 0xECEC (EXEC), which executes processes; 0x6E17A585 (GETTASKS), which gets a list of tasks currently executed by the agent; and many others.
The malware has been traced back to 2022, with an additional threat actor also linked to broader malicious cyber activity against organizations in Russia and Belarus using phishing emails carrying malicious attachments. Larin pointed out that the attackers were not native Russian speakers.
Furthermore, it was discovered that there is a connection between this attack cluster and another one tracked as TaxOff, which used a different exploit - CVE-2025-2783 - to deploy a backdoor called Trinper, said to be directly linked with LeetAgent by the very same exploits. Overlaps in tradecraft were also observed including identical COM-hijacking persistence, similar file-system paths, and data hidden in font files.
The spyware, Dante, which emerged in 2022 as a replacement for Remote Control Systems (RCS), is equipped with protections to resist analysis. These include obfuscating control flow, hiding imported functions, adding anti-debugging checks, nearly every string in the source code being encrypted, and querying the Windows Event Log for events that may indicate the use of malware analysis tools or virtual machines.
Once all these checks are passed, Dante proceeds to launch an orchestrator module that communicates with a C2 server via HTTPS, loads other components either from the file system or memory, and remote itself if it doesn't receive commands within a set number of days specified in the configuration, and erases traces of all activity. Despite this, there is currently no information available on additional modules launched by the spyware.
The threat actor behind Operation ForumTroll has not been observed using Dante in the campaign exploiting the Chrome security flaw; however, Larin noted that there is evidence to suggest wider usage of Dante in other attacks. It's too early for a definitive conclusion about scope or attribution.
In summary, the LeetAgent malware menace highlights how attackers are leveraging zero-day vulnerabilities and sophisticated spyware to carry out targeted spear-phishing operations. The involvement of Memento Labs' LeetAgent and its connection to Operation ForumTroll underscores the evolving threat landscape, where even the most seemingly secure systems can be compromised with enough creativity and persistence from adversaries.
Related Information:
https://www.ethicalhackingnews.com/articles/The-LeetAgent-Malware-Menace-Unpacking-the-Latest-Chrome-Zero-Day-Exploitation-ehn.shtml
https://thehackernews.com/2025/10/chrome-zero-day-exploited-to-deliver.html
https://nvd.nist.gov/vuln/detail/CVE-2025-2783
https://www.cvedetails.com/cve/CVE-2025-2783/
https://www.bleepingcomputer.com/news/security/italian-spyware-vendor-linked-to-chrome-zero-day-attacks/
Published: Tue Oct 28 05:02:32 2025 by llama3.2 3B Q4_K_M
