{"uuid": "9a5e050a-4772-4f07-b3cb-81eae488ff62", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "name": "Kaspersky - Operation ForumTroll: APT attack with Google Chrome zero-day exploit chain", "description": "# Operation ForumTroll exploits zero-days in Google Chrome | Securelist\n![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/03/25125858/SL-operation-ForumTroll-featured-800x450.jpg)\n\n[Incidents](https://securelist.com/category/incidents/)\n\n[Incidents](https://securelist.com/category/incidents/)\n\n25 Mar 2025\n\nminute read\n\n![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/03/25125858/SL-operation-ForumTroll-featured-1200x600.jpg)\n\nIn mid-March 2025, Kaspersky technologies detected a wave of infections by previously unknown and highly sophisticated malware. In all cases, infection occurred immediately after the victim clicked on a link in a phishing email, and the attackers\u2019 website was opened using the Google Chrome web browser. No further action was required to become infected.\n\nAll malicious links were personalized and had a very short lifespan. However, Kaspersky\u2019s exploit detection and protection technologies successfully identified the zero-day exploit that was used to escape Google Chrome\u2019s sandbox. We quickly analyzed the exploit code, reverse-engineered its logic, and confirmed that it was based on a zero-day vulnerability affecting the latest version of Google Chrome. We then reported the vulnerability to the Google security team. Our detailed report enabled the developers to quickly address the issue, and on March 25, 2025, Google released an update fixing the vulnerability and [thanked us](https://chromereleases.googleblog.com/2025/03/stable-channel-update-for-desktop_25.html) for discovering this attack.  \n\n[![Acknowledgement for finding CVE-2025-2783 (excerpt from security fixes included into Chrome 134.0.6998.177/.178)](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/03/25212201/operation-forumtroll-01.png)](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/03/25212201/operation-forumtroll-01.png)\n\nAcknowledgement for finding CVE-2025-2783 (excerpt from security fixes included into Chrome 134.0.6998.177/.178)  \n\nWe have discovered and reported dozens of zero-day exploits actively used in attacks, but this particular exploit is certainly one of the most interesting we\u2019ve encountered. The vulnerability CVE-2025-2783 really left us scratching our heads, as, without doing anything obviously malicious or forbidden, it allowed the attackers to bypass Google Chrome\u2019s sandbox protection as if it didn\u2019t even exist. The cause of this was a logical error at the intersection of Google Chrome\u2019s sandbox and the Windows operating system. We plan to publish the technical details of this vulnerability once the majority of users have installed the updated version of the browser that fixes it.\n\nOur research is still ongoing, but judging by the functionality of the sophisticated malware used in the attack, it seems the attackers\u2019 goal was espionage. The malicious emails contained invitations supposedly from the organizers of a scientific and expert forum, \u201cPrimakov Readings\u201d, targeting media outlets and educational institutions in Russia. Based on the content of the emails, we dubbed the campaign Operation ForumTroll.  \n\n[![Example of a malicious email used in this campaign (translated from Russian)](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/03/25212153/operation-forumtroll-02-1.png)](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/03/25212153/operation-forumtroll-02-1.png)\n\nExample of a malicious email used in this campaign (translated from Russian)\n\nAt the time of writing, there\u2019s no exploit active at the malicious link \u2013 it just redirects visitors to the official [website](https://primakovreadings.ru/) of \u201cPrimakov Readings\u201d. However, we strongly advise against clicking on any potentially malicious links.\n\nThe exploit we discovered was designed to run in conjunction with an additional exploit that enables remote code execution. Unfortunately, we were unable to obtain this second exploit, as in this particular case it would have required waiting for a new wave of attacks and exposing users to the risk of infection. Fortunately, patching the vulnerability used to escape the sandbox effectively blocks the entire attack chain.\n\nAll the attack artifacts analyzed so far indicate high sophistication of the attackers, allowing us to confidently conclude that a state-sponsored APT group is behind this attack.\n\nWe plan to publish a detailed report with technical details about the zero-day exploit, the sophisticated malware, and the attackers\u2019 techniques.\n\nKaspersky products detect the exploits and malware used in this attack with the following verdicts:\n\n*   Exploit.Win32.Generic\n*   Trojan.Win64.Agent\n*   Trojan.Win64.Convagent.gen\n*   PDM:Exploit.Win32.Generic\n*   PDM:Trojan.Win32.Generic\n*   UDS:DangerousObject.Multi.Generic\n\nIndicators of Compromise\n------------------------\n\n[primakovreadings\\[.\\]info](https://opentip.kaspersky.com/primakovreadings.info/icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______05122bf6e284c4c0&utm_source=SL&utm_medium=SL&utm_campaign=SL)  \n\n*   [![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/10092503/NEXT_310x420_EN_1.jpg)](https://www.kaspersky.com/next?icid=gl_KNext_acq_ona_smm__onl_b2b_securelist_ban_sm-team___knext___)\n    \n\n##### Latest Posts\n\n##### Latest Webinars\n\n##### Reports\n\nIn this article, we discuss the tools and TTPs used in the SideWinder APT\u2019s attacks in H2 2024, as well as shifts in its targets, such as an increase in attacks against the maritime and logistics sectors.\n\nKaspersky researchers analyze EAGERBEE backdoor modules, revealing a possible connection to the CoughingDown APT actor.\n\nWhile investigating an incident involving the BellaCiao .NET malware, Kaspersky researchers discovered a C++ version they dubbed \u201cBellaCPP\u201d.\n\nLazarus targets employees of a nuclear-related organization with a bunch of malware, such as MISTPEN, LPEClient, RollMid, CookieTime and a new modular backdoor CookiePlus.", "creation_timestamp": "2025-03-26T07:46:34.006957+00:00", "timestamp": "2025-03-26T07:46:34.006957+00:00", "related_vulnerabilities": ["CVE-2025-2783"], "author": {"login": "adulau", "name": "Alexandre Dulaunoy", "uuid": "c933734a-9be8-4142-889e-26e95c752803"}}