Mem3nt0 mori Operation ForumTroll espionage campaign
Campaign
Summary
Hide ▲
Show ▼
Mem3nt0 mori ran Operation ForumTroll, a targeted espionage campaign that used personalized phishing and a Google Chrome zero-day to infect victims in Russia and Belarus. The operation mattered because it combined a browser exploit with short-lived malicious links that delivered code with no further user action. It focused on universities, research centers, financial institutions, and government agencies, showing a broad but clearly selected victim set.
Related Happenings
Rokarolla device-profiling targeting campaign
Campaign
H score32
First: 16.06.2026 23:04
Last: 16.06.2026 23:04
Sources 1
About this happening:
The **Rokarolla** Android campaign now profiles infected devices to assign a **unique identifier** to each victim, enabling repeated tracking and coordinated financial-fraud activ...
Rokarolla device-profiling targeting campaign
CampaignAbout this happening: The **Rokarolla** Android campaign now profiles infected devices to assign a **unique identifier** to each victim, enabling repeated tracking and coordinated financial-fraud activ...
UNC6508 China-linked REDCap espionage campaign
Campaign
H score39
First: 15.06.2026 17:00
Last: 15.06.2026 17:00
Sources 1
About this happening:
**UNC6508** ran a **China-linked espionage campaign** against **exposed REDCap servers** used by **North American medical, academic, and military research networks**. The operatio...
UNC6508 China-linked REDCap espionage campaign
CampaignAbout this happening: **UNC6508** ran a **China-linked espionage campaign** against **exposed REDCap servers** used by **North American medical, academic, and military research networks**. The operatio...
Fake Gemini CLI and Claude Code SEO-poisoning infostealer campaign
Campaign
H score33
First: 22.05.2026 14:30
Last: 22.05.2026 14:30
Sources 1
About this happening:
**Cyber threat actors** ran a **malicious SEO-poisoning campaign** that impersonated **Google Gemini CLI** and **Anthropic Claude Code** to push malicious downloads. The operation...
Fake Gemini CLI and Claude Code SEO-poisoning infostealer campaign
CampaignAbout this happening: **Cyber threat actors** ran a **malicious SEO-poisoning campaign** that impersonated **Google Gemini CLI** and **Anthropic Claude Code** to push malicious downloads. The operation...
TamperedChef malvertising campaign distributing backdoor malware through trojanized PDFs
Campaign
H score37
First: 16.01.2026 14:05
Last: 16.01.2026 14:05
Sources 1
About this happening:
The **TamperedChef** campaign is a **malvertising** operation that used **Google ads** and **more than 50 domains** to push a fake **AppSuite PDF Editor** and deliver the **Tamper...
TamperedChef malvertising campaign distributing backdoor malware through trojanized PDFs
CampaignAbout this happening: The **TamperedChef** campaign is a **malvertising** operation that used **Google ads** and **more than 50 domains** to push a fake **AppSuite PDF Editor** and deliver the **Tamper...
APT24 BadAudio multi-delivery espionage campaign
Campaign
H score54
First: 21.11.2025 00:12
Last: 21.11.2025 00:12
Sources 1
About this happening:
**APT24** is running a **three-year espionage campaign** with **BadAudio** that has expanded into multiple delivery methods, increasing the operation's reach and stealth. Since **...
APT24 BadAudio multi-delivery espionage campaign
CampaignAbout this happening: **APT24** is running a **three-year espionage campaign** with **BadAudio** that has expanded into multiple delivery methods, increasing the operation's reach and stealth. Since **...
Timeline
-
28.10.2025 18:00 1 articles · 8mo ago
Kaspersky discloses Operation ForumTroll Chrome zero-day exploitation
Initial DisclosureKaspersky reported that CVE-2025-2783 in Google Chrome was exploited in Operation ForumTroll, a targeted espionage campaign against organizations in Russia and Belarus. The attack chain used highly personalized phishing emails inviting victims to the Primakov Readings forum, short-lived malicious links, and a sandbox escape exploit to compromise Chrome and other Chromium-based browsers. Kaspersky linked the activity to Mem3nt0 mori / ForumTroll APT and said the tooling appeared to involve Memento Labs products such as LeetAgent and Dante, while Google patched Chrome in version 134.0.6998.177/.178.
Show sources
- Chrome Zero-Day Actively Exploited in Attacks by Mem3nt0 mori — www.infosecurity-magazine.com — 28.10.2025 18:00