Mem3nt0 mori Operation ForumTroll espionage campaign
Campaign
Summary
Hide ▲
Show ▼
Mem3nt0 mori ran Operation ForumTroll, a targeted espionage campaign that used personalized phishing and a Google Chrome zero-day to infect victims in Russia and Belarus. The operation mattered because it combined a browser exploit with short-lived malicious links that delivered code with no further user action. It focused on universities, research centers, financial institutions, and government agencies, showing a broad but clearly selected victim set.
Related Happenings
Fake Gemini CLI and Claude Code SEO-poisoning infostealer campaign
Campaign
First: 22.05.2026 14:30
Last: 22.05.2026 14:30
Sources 1
About this happening:
**Cyber threat actors** ran a **malicious SEO-poisoning campaign** that impersonated **Google Gemini CLI** and **Anthropic Claude Code** to push malicious downloads. The operation...
Fake Gemini CLI and Claude Code SEO-poisoning infostealer campaign
CampaignAbout this happening: **Cyber threat actors** ran a **malicious SEO-poisoning campaign** that impersonated **Google Gemini CLI** and **Anthropic Claude Code** to push malicious downloads. The operation...
TamperedChef malvertising campaign distributing backdoor malware through trojanized PDFs
Campaign
First: 16.01.2026 14:05
Last: 16.01.2026 14:05
Sources 1
About this happening:
The **TamperedChef** campaign is a **malvertising** operation that used **Google ads** and **more than 50 domains** to push a fake **AppSuite PDF Editor** and deliver the **Tamper...
TamperedChef malvertising campaign distributing backdoor malware through trojanized PDFs
CampaignAbout this happening: The **TamperedChef** campaign is a **malvertising** operation that used **Google ads** and **more than 50 domains** to push a fake **AppSuite PDF Editor** and deliver the **Tamper...
APT24 BadAudio multi-delivery espionage campaign
Campaign
First: 21.11.2025 00:12
Last: 21.11.2025 00:12
Sources 1
About this happening:
**APT24** is running a **three-year espionage campaign** with **BadAudio** that has expanded into multiple delivery methods, increasing the operation's reach and stealth. Since **...
APT24 BadAudio multi-delivery espionage campaign
CampaignAbout this happening: **APT24** is running a **three-year espionage campaign** with **BadAudio** that has expanded into multiple delivery methods, increasing the operation's reach and stealth. Since **...
Google Chrome CVE-2025-2783 active exploitation wave
Exploitation Wave
First: 28.10.2025 10:22
Last: 28.10.2025 10:22
Sources 1
About this happening:
**CVE-2025-2783** is being actively exploited in **Google Chrome** against organizations in **Russia and Belarus**, creating sandbox-escape and payload-delivery risk for exposed b...
Google Chrome CVE-2025-2783 active exploitation wave
Exploitation WaveAbout this happening: **CVE-2025-2783** is being actively exploited in **Google Chrome** against organizations in **Russia and Belarus**, creating sandbox-escape and payload-delivery risk for exposed b...
Latest development: 17.12.2025 16:54
Kaspersky described a new Operation ForumTroll phishing wave targeting scholars in political science, international relations, and global economics at major Russian universities and research institutions with fake eLibrary emails from support@e-library[.]wiki, one-time links, and ZIP archives named <LastName>_<FirstName>_<Patronymic>.zip that run a LNK and PowerShell chain to fetch a DLL and deploy Tuoni for remote access.
Operation ForumTroll phishing and Chrome zero-day campaign against Russian organizations
Campaign
First: 27.10.2025 18:37
Last: 27.10.2025 18:37
Sources 1
About this happening:
**Operation ForumTroll** was exposed as a **targeted phishing campaign** that used a **Google Chrome zero-day** to compromise selected **Russian organizations**. The operation mat...
Operation ForumTroll phishing and Chrome zero-day campaign against Russian organizations
CampaignAbout this happening: **Operation ForumTroll** was exposed as a **targeted phishing campaign** that used a **Google Chrome zero-day** to compromise selected **Russian organizations**. The operation mat...
Latest development: 17.12.2025 16:54
Kaspersky reported on December 17, 2025 that it detected a new Operation ForumTroll phishing wave in October 2025 targeting Russian scholars and researchers in political science, international relations, and global economics at major Russian universities and research institutions. The attackers used fake eLibrary emails from support@e-library[.]wiki, hosted a copy of elibrary[.]ru on e-library[.]wiki, and personalized ZIP archives named <LastName>_<FirstName>_<Patronymic>.zip for the targeted individuals.
Timeline
-
28.10.2025 18:00 1 articles · 7mo ago
Kaspersky discloses Operation ForumTroll Chrome zero-day exploitation
Initial DisclosureKaspersky reported that CVE-2025-2783 in Google Chrome was exploited in Operation ForumTroll, a targeted espionage campaign against organizations in Russia and Belarus. The attack chain used highly personalized phishing emails inviting victims to the Primakov Readings forum, short-lived malicious links, and a sandbox escape exploit to compromise Chrome and other Chromium-based browsers. Kaspersky linked the activity to Mem3nt0 mori / ForumTroll APT and said the tooling appeared to involve Memento Labs products such as LeetAgent and Dante, while Google patched Chrome in version 134.0.6998.177/.178.
Show sources
- Chrome Zero-Day Actively Exploited in Attacks by Mem3nt0 mori — www.infosecurity-magazine.com — 28.10.2025 18:00