A newly uncovered cyber espionage operation has revealed that a now-patched Google Chrome zero-day vulnerability was exploited to deploy a sophisticated spyware known as LeetAgent. According to research from Kaspersky, the operation has been linked to the Italian IT and security firm Memento Labs, known for developing surveillance tools.
Operation ForumTroll and the Chrome Vulnerability
The exploited vulnerability, tracked as CVE-2025-2783 (CVSS 8.3), involves a sandbox escape flaw in Google Chrome. Kaspersky first disclosed this vulnerability in March 2025, noting that it had been actively exploited as part of a cyber-espionage campaign called Operation ForumTroll, which primarily targeted organizations in Russia.
Other cybersecurity firms have tracked the same activity under different names, including TaxOff/Team 46 by Positive Technologies and Prosperous Werewolf by BI.ZONE, with evidence showing the group has been active since at least February 2024.
Attack Chain and Infection Vector
The campaign relied on phishing emails containing personalized short-lived links that invited victims to visit the Primakov Readings forum. Simply clicking these links via Google Chrome or any Chromium-based browser triggered the exploit for CVE-2025-2783, allowing attackers to break out of Chrome’s sandbox environment and deploy spyware tools developed by Memento Labs.
Memento Labs: The Italian Connection
Memento Labs, headquartered in Milan, Italy, was founded in April 2019 after the merger of InTheCyber Group and the infamous Hacking Team. The Hacking Team, previously known for selling intrusion and surveillance technologies to government agencies and corporations, had created spyware capable of tracking Tor browser activity.
In 2015, the Hacking Team suffered a massive data breach that leaked hundreds of gigabytes of internal tools and exploits, including the VectorEDK framework, which later became the foundation for the MosaicRegressor UEFI bootkit. The company’s export license was revoked in 2016 following the scandal, restricting its operations outside Europe.
Espionage-Focused Targeting
The recent attacks documented by Kaspersky revealed spear-phishing campaigns aimed at media organizations, universities, research centers, financial institutions, and government bodies across Russia and Belarus.
According to Boris Larin, Principal Security Researcher at Kaspersky GReAT, “This was a targeted spear-phishing operation, not a broad or random campaign.” Multiple intrusions were observed across sensitive sectors, highlighting a clear espionage objective.
The LeetAgent Spyware
The attackers used a browser-executed validator script to verify whether the visitor was a real user before leveraging the Chrome zero-day vulnerability to execute a sandbox escape. This enabled remote code execution and installation of a loader, which deployed the LeetAgent spyware.
LeetAgent connects to a command-and-control (C2) server over HTTPS and can execute several malicious tasks, including:
- Run commands using cmd.exe
- Execute processes
- Read and write files
- Inject shellcode
- Change directories
- Modify communication parameters
- Start or stop tasks
- Harvest files with extensions such as *.doc, *.pdf, .pptx, and .xlsx
- Perform keylogging and data theft
Researchers traced this malware back to 2022, linking it to other phishing campaigns targeting Russian and Belarusian entities.
