Chrome 0-Day Exploited in Espionage by Mem3nt0 Mori

eSecurity Planet content material and product suggestions are
editorially impartial. We might generate income once you click on on hyperlinks
to our companions.
Learn More

A zero-day vulnerability in Google Chrome has been actively exploited by the hacker group Mem3nt0 Mori in a string of focused assaults in opposition to high-profile organizations in Russia and Belarus. 

The flaw allowed attackers to bypass Chrome’s sandbox protections and deploy adware via phishing campaigns disguised as invites to the Primakov Readings discussion board.

Kaspersky researchers stated, “The functionality of the malware suggests that the operation’s primary purpose was espionage.”

Operation ForumTroll

The vulnerability, CVE-2025-2783, impacts Chrome variations previous to 134.0.6998.177 on Windows.

If exploited, the flaw permits attackers to execute arbitrary code, steal information, and set up adware with out requiring downloads or consumer interplay. 

Google patched the vulnerability, however lively exploitation occurred earlier than the replace, based on Kaspersky’s findings.

These incidents — a part of an operation Kaspersky calls Operation ForumTroll — focused media retailers, monetary establishments, and analysis universities, underscoring how menace actors more and more use social engineering and business adware for espionage.

Inside the assault chain

The assault started with customized phishing emails in Russian that appeared to return from the Primakov Readings discussion board. 

The hyperlinks led to malicious web sites that routinely triggered the exploit upon go to — no clicks or downloads required.

Once opened in Chrome, the exploit took benefit of a flaw within the browser’s Mojo inter-process communication (IPC) system, which handles information change between sandboxed elements. 

The challenge stemmed from Chrome’s failure to correctly validate pseudo-handles, such because the fixed -2, used to reference the present thread. 

This oversight allowed attackers to duplicate thread handles throughout sandbox boundaries, thereby granting them code-execution privileges within the higher-privileged browser course of.

With this foothold, attackers deployed a persistent malware loader via Component Object Model (COM) hijacking, forcing Windows to load a malicious DLL disguised as a reliable twinapi.dll. 

The loader decrypted and launched a adware payload, LeetAgent, which executed instructions written in leetspeak.

LeetAgent allowed the attackers to:

• Log keystrokes and monitor clipboard information.
• Steal information with extensions like .docx, .pdf, and .xlsx.
• Inject shellcode into trusted processes like rdpclip.exe.

The adware communicated with command-and-control (C2) servers hosted on Fastly[.]web cloud infrastructure, utilizing obfuscation and encryption based mostly on the ChaCha20 algorithm. 

Kaspersky researchers linked this adware to Dante, a business surveillance software developed by Memento Labs, previously often known as Hacking Team, an Italian vendor related to authorities adware gross sales.

Building layers of browser protection

Google has patched the vulnerability in Chrome variations 134.0.6998.177 and 134.0.6998.178 and organizations ought to guarantee the most recent model of Chrome is getting used.

Besides patching, organizations ought to undertake a layered protection technique, together with the next:

• Limit browser publicity: Restrict admin use, take away unneeded extensions, and use browser isolation to comprise malicious code.
• Strengthen entry controls: Apply least privilege, block admin looking, and undertake zero belief to stop profitable lateral motion.
• Enhance detection and monitoring: Use EDR and SIEM instruments to identify anomalies and IOCs like suspicious handles or Fastly visitors.
• Harden system and community defenses: Enable Windows Defender Exploit Guard, reminiscence integrity, and safe gateways to dam sandbox escapes.
• Reinforce social engineering consciousness: Train customers to identify frequent social engineering assaults.

Together, these measures will help organizations restrict exploit paths, strengthen browser defenses, and construct cyber resilience.

Commercial adware fuels the subsequent cyber arms race

This marketing campaign highlights the rising convergence between zero-day exploits and the business adware business, making a single, interconnected menace ecosystem.

Mem3nt0 Mori’s use of instruments like LeetAgent and Dante demonstrates how surveillance applied sciences as soon as offered to governments at the moment are empowering state-aligned menace actors.

As cybercriminals and APTs weaponize browser vulnerabilities sooner than distributors can patch them, the velocity and consistency of response have turn out to be crucial measures of cybersecurity resilience.

These evolving threats underscore the necessity for structured, examined incident response plans that allow organizations to react decisively beneath strain.