The infamous Mem3nt0 mori hacker group has been actively exploiting a zero-day vulnerability in Google Chrome, compromising high-profile targets throughout Russia and Belarus.
Dubbed CVE-2025-2783, this flaw allowed attackers to bypass Chrome’s sturdy sandbox protections with minimal person interplay, resulting in the deployment of refined adware.
Found by Kaspersky researchers in March 2025, Google swiftly patched the vulnerability, however not earlier than infections unfold by way of personalised phishing campaigns mimicking invites to the distinguished Primakov Readings discussion board.
CVE IDDescriptionCVSS ScoreAffected VersionsPatch VersionImpactCVE-2025-2783Incorrect deal with validation in Mojo IPC resulting in sandbox escape on Windows9.8 (Excessive)Chrome 134.0.6998.177/.178Arbitrary code execution, espionage through adware deployment
The assaults, a part of an operation Kaspersky named ForumTroll, focused media retailers, universities, authorities businesses, and monetary establishments, underscoring the group’s deal with intelligence gathering.
Victims obtained impeccably crafted emails in Russian, luring them to malicious websites that triggered the exploit upon go to no downloads or clicks past the preliminary hyperlink had been wanted.
This drive-by an infection chain exploited Chrome’s Mojo inter-process communication system, a essential part for dealing with information between browser processes on Home windows.
The vulnerability stemmed from a delicate oversight: Chrome’s code didn’t correctly validate pseudo-handles like -2 (for the present thread), enabling attackers to dupe the system into duplicating handles throughout sandbox boundaries.
This logical flaw, rooted in outdated Home windows optimizations, allowed shellcode execution within the privileged browser course of, paving the best way for malware persistence.
Unraveling The Assault Chain
The an infection progressed in rigorously designed levels, as reconstructed by Kaspersky’s International Analysis and Evaluation Staff (GReAT).
It started with a phishing electronic mail validator script that used WebGPU to verify a real browser go to, thwarting automated scanners.
If validated, an elliptic-curve Diffie-Hellman key alternate decrypted the following payload, hidden in innocuous recordsdata like JavaScript bundles and fonts.
Assault Chain
Though the distant code execution (RCE) exploit evaded seize, the sandbox escape through CVE-2025-2783 was pivotal: it hooked features in Chrome’s V8 inspector and ipcz library to relay thread handles, suspending and hijacking the browser course of to inject a persistent loader.
This loader employed COM hijacking, overriding Home windows registry entries for reliable elements like twinapi.dll to make sure malware execution in processes equivalent to rdpclip.exe.
The payload, obfuscated with OLLVM and encrypted through a modified ChaCha20, decrypted into LeetAgent a uncommon adware utilizing leetspeak instructions for duties like keylogging, file theft (concentrating on docs, PDFs, and spreadsheets), and course of injection.
Configuration arrived over HTTPS from C2 servers on Fastly.internet, with in depth site visitors obfuscation hinting at business origins.
Kaspersky traced LeetAgent’s debut to 2022, linking it to broader ForumTroll campaigns involving malicious attachments like ISO recordsdata and LNK shortcuts disguised as partnership invites.
Deeper evaluation revealed that LeetAgent’s loader shared code with Dante, an elusive business adware from the Italian agency Memento Labs, rebranded from the notorious Hacking Staff in 2019.
LeetAgent Loader
Dante, unveiled on the 2023 ISS World convention, packed VMProtect obfuscation, anti-debugging through occasion log queries for VM artifacts, and dynamic API decision to evade hooks.
Its orchestrator managed modules encrypted with AES-256, utilizing machine-bound keys from CPU IDs and product keys, saved in Base64-named folders beneath %LocalAppData%.
Kaspersky confirmed overlaps in persistence, font-hidden information, and exploit code, attributing ForumTroll’s toolkit to Memento Labs regardless of the seller’s “begin from scratch” guarantees.
This discovery highlights the shadowy adware market’s resilience, the place instruments like Dante probably nodding to Hacking Staff’s “Da Vinci” through Dante Alighieri’s infernal journeys persist in APT fingers.
Firefox patched the same IPC flaw as CVE-2025-2857 shortly after. Specialists warn of lingering pseudo-handle dangers in different software program.
For cover, replace Chrome to 134.0.6998.177 or later, allow enhanced protected shopping, and monitor for IOCs like suspicious Base64 folders.
As Mem3nt0 mori evolves, vigilance towards phishing stays paramount on this cat-and-mouse sport of digital shadows.
Observe us on Google Information, LinkedIn, and X for every day cybersecurity updates. Contact us to characteristic your tales.
