Chrome Zero-Day Used to Spread LeetAgent Spyware
▼ Summary
– A zero-day vulnerability (CVE-2025-2783) in Google Chrome was exploited to distribute spyware from Memento Labs as part of Operation ForumTroll, targeting Russian organizations.
– The attack used phishing emails with short-lived links to a fake forum, triggering the exploit to escape Chrome’s sandbox and deploy Memento Labs’ LeetAgent spyware.
– Memento Labs, formed from a merger including the controversial HackingTeam, has a history of selling surveillance tools and suffered a major data breach in 2015.
– LeetAgent is a newly documented spyware capable of executing commands, file operations, and data theft, with links to the more advanced Dante spyware used in related campaigns.
– Memento Labs confirmed the spyware belongs to them, blaming a government customer for misusing an outdated Windows version of Dante, and stated they now focus only on mobile tools.
A newly discovered zero-day vulnerability in Google Chrome was recently exploited to distribute sophisticated spyware developed by Memento Labs, according to cybersecurity researchers. This security flaw, identified as CVE-2025-2783 with a CVSS severity score of 8.3, allowed attackers to break free from Chrome’s protective sandbox environment. The exploit was deployed through a targeted phishing campaign known as Operation ForumTroll, which focused on organizations across Russia. Security firms tracking this activity refer to the threat group by various names, including TaxOff/Team 46 and Prosperous Werewolf.
The attack began with phishing emails containing time-sensitive links that appeared to direct recipients to the Primakov Readings forum. When opened in Chrome or a Chromium-based browser, these links triggered the exploit for CVE-2025-2783, bypassing browser security to install malicious tools. Memento Labs, the developer behind these tools, is an Italian company formed in 2019 through the merger of InTheCyber Group and the controversial HackingTeam. HackingTeam has a long history of providing intrusion and surveillance solutions to governments and corporations, including spyware capable of monitoring the Tor browser.
Notably, HackingTeam experienced a major security breach in 2015, leading to the public release of internal data, tools, and exploits. One leaked component, an Extensible Firmware Interface development kit called VectorEDK, later formed the basis for the UEFI bootkit known as MosaicRegressor. In 2016, the company faced additional challenges when Italian authorities revoked its license for sales outside Europe.
In the recent campaign analyzed by Kaspersky, the attackers targeted Russian media outlets, universities, research centers, government bodies, and financial institutions with clear espionage objectives. Boris Larin, a principal security researcher at Kaspersky, emphasized that this was a highly targeted spear-phishing operation rather than a widespread attack. The campaign ultimately delivered a previously undocumented spyware called LeetAgent, named for its use of leetspeak in command codes.
LeetAgent Loader Linked to ForumTroll Operation and Dante Spyware
The infection began with a validator script that verified whether the visitor was using a legitimate browser before launching a sandbox escape. This initial step granted remote code execution, allowing the attackers to deploy a loader that installed the LeetAgent backdoor. Once activated, LeetAgent established a secure HTTPS connection to a command-and-control (C2) server, opening the door to a variety of malicious operations.
One of its modules, identified as 0xC033A4D (COMMAND), enabled command execution via cmd.exe. Security researchers traced this malware to activity dating back to 2022, when the same threat actor relied on phishing campaigns with weaponized attachments targeting organizations and individuals in Russia and Belarus. Researcher Larin noted the group’s strong command of Russian and knowledge of local systems, though minor language inconsistencies suggested the operators might not be native speakers.
In June 2025, Positive Technologies uncovered that a related cluster exploited CVE-2025-2783 to deliver another backdoor known as Trinper. Larin confirmed that both attack chains are connected. In several observed incidents, LeetAgent served as the launchpad for Dante, an advanced spyware family that evolved from the earlier Remote Control Systems (RCS) platform.
Dante’s architecture is built for stealth. It scrambles control flow, hides imported functions, runs anti-debugging checks, and encrypts nearly all strings in its code. The malware also examines Windows Event Logs for traces of security tools or virtual machines. Once it verifies that the environment is genuine, Dante activates an orchestrator module that contacts its C2 infrastructure, downloads additional payloads, and has the ability to self-destruct if idle for too long.
Although Dante was not directly linked to the Chrome zero-day campaign, Larin said evidence points to its presence in other coordinated attacks. The full extent of these operations and their attribution are still being investigated.
In a significant development, Memento Labs CEO Paolo Lezzi confirmed that the spyware analyzed by Kaspersky originated from his company. He explained that the breach involved a government client using an outdated Windows build of Dante. Memento Labs, serving fewer than 100 customers, has since urged all clients to stop using its Windows-based software and announced a pivot toward surveillance tools designed solely for mobile platforms.
This revelation renews scrutiny over the commercial spyware industry. Tools built for legitimate law enforcement purposes continue to leak into unauthorized hands, fueling an ecosystem of digital espionage that threatens privacy and state security alike.
(Source: NewsAPI Tech Headlines)
