Chrome Zero-Day Exploited by "Mem3nt0 mori" APT to Deploy Spyware

Executive Summary

A critical zero-day vulnerability in Google Chrome and other Chromium-based browsers, tracked as CVE-2025-2783, was exploited in the wild as part of a sophisticated espionage campaign. Research from Kaspersky attributes the campaign, named "Operation ForumTroll," to the Mem3nt0 mori APT group (also tracked as ForumTroll APT and TaxOff). Starting in March 2025, the attackers used highly targeted spear-phishing emails to lure victims into clicking a malicious link, which triggered the exploit and led to the deployment of the LeetAgent spyware. The spyware is reportedly developed by the Italian vendor Memento Labs. The campaign primarily targeted government, financial, research, and educational institutions in Russia and Belarus.

Threat Overview

"Operation ForumTroll" is a classic example of a state-sponsored or state-aligned espionage operation, characterized by its use of a zero-day exploit, custom malware, and highly targeted social engineering.

Attack Chain:

1. Initial Access: Victims received personalized spear-phishing emails with invitations to a forum. The emails contained a malicious link (T1566.002 - Phishing: Spearphishing Link).
2. Exploitation: Clicking the link directed the victim's browser to an exploit server. The server leveraged CVE-2025-2783 and a sandbox escape exploit to gain code execution on the victim's machine without further user interaction (T1211 - Exploitation for Client Execution).
3. Payload Delivery: Once code execution was achieved, the exploit chain downloaded and installed a backdoor known as LeetAgent.

Technical Analysis

• Vulnerability (CVE-2025-2783): While the specific details of the Chrome vulnerability are not public, it was severe enough to be exploited for remote code execution and was considered a zero-day at the time of the attacks.
• Threat Actor (Mem3nt0 mori): This APT group demonstrates a high level of sophistication. Researchers noted their proficiency in the Russian language and familiarity with local customs, suggesting a deep focus on the region. However, mistakes in other campaigns indicate they may not be native speakers. Separate research from Positive Technologies linked an identical cluster of activity (tracked as TaxOff) using the same CVE to deploy a backdoor named Trinper, confirming the connection between these operations.
• Malware (LeetAgent): This backdoor is a powerful espionage tool developed by the controversial Italian spyware vendor Memento Labs. Its capabilities likely include file exfiltration, command execution, and capturing sensitive user data.

Impact Assessment

The campaign successfully compromised multiple organizations within strategic sectors in Russia and Belarus. The primary impact is espionage and the theft of sensitive government, financial, and scientific information. The use of a commercial spyware tool like LeetAgent highlights the growing and controversial market for offensive cyber capabilities, where private companies develop and sell powerful hacking tools to government clients.

• Targets: Universities, research centers, financial institutions, and government agencies.
• Geographies: Russia and Belarus.

Detection & Response

• Browser Update: The most critical step is to ensure all Chrome and Chromium-based browsers (e.g., Microsoft Edge, Brave) are updated to a version that patches CVE-2025-2783.
• Network Traffic Analysis: Monitor for network connections to known C2 infrastructure associated with Mem3nt0 mori or Memento Labs. Analyze DNS requests and HTTP/S traffic for suspicious patterns.
• Endpoint Analysis: Use an EDR solution to hunt for indicators of the LeetAgent or Trinper backdoors, such as specific file names, registry keys for persistence, or anomalous processes spawned by the browser.

Mitigation

• Patch Management (D3-SU): Maintain a strict and rapid patch management policy for web browsers and all other client-side software. Enable automatic updates wherever possible.
• User Training (D3-UT): Train users to identify and report sophisticated spear-phishing emails. Emphasize that even emails that seem highly relevant and personalized can be malicious.
• Email Security Gateway: Deploy an advanced email security solution that can analyze links at time-of-click to block connections to known malicious or newly registered domains.
• Execution Prevention: Configure endpoint security policies to limit the ability of browser processes to spawn child processes like cmd.exe or powershell.exe.