Full Report
The notorious Mem3nt0 mori hacker group has been actively exploiting a zero-day vulnerability in Google Chrome, compromising high-profile targets across Russia and Belarus. Dubbed CVE-2025-2783, this flaw allowed attackers to bypass Chrome’s robust sandbox protections with minimal user interaction, leading to the deployment of sophisticated spyware. Discovered by Kaspersky researchers in March 2025, Google swiftly […] The post Chrome 0-Day Vulnerability Actively Exploited in Attacks by Notorious Hacker Group appeared first on Cyber Security News.
Analysis Summary
# Incident Report: Chrome Zero-Day Exploitation by Mem3nt0 mori (ForumTroll)
## Executive Summary
The notorious Mem3nt0 mori hacker group exploited a zero-day vulnerability (CVE-2025-2783) in Google Chrome to compromise high-profile targets across Russia and Belarus. The flaw allowed for crucial sandbox escape, enabling the deployment of sophisticated LeetAgent spyware via personalized phishing campaigns. The vulnerability was publicly discovered by Kaspersky researchers in March 2025, leading to a swift patch by Google, though not before targeted infections occurred.
## Incident Details
- **Discovery Date:** March 2025 (by Kaspersky researchers)
- **Incident Date:** Active exploitation occurred prior to or shortly after discovery/patching (October 27, 2025, article publication date suggests ongoing relevance).
- **Affected Organization:** High-profile targets including media outlets, universities, government agencies, and financial institutions.
- **Sector:** Government, Academia, Media, Finance.
- **Geography:** Russia and Belarus.
## Timeline of Events
### Initial Access
- **Date/Time:** Not explicitly defined, but occurred leading up to the reporting date.
- **Vector:** Personalized phishing emails (mimicking invitations to the Primakov Readings forum).
- **Details:** Victims received emails in Russian luring them to malicious websites. Infections were "drive-by," requiring only a single link visit with no further user interaction necessary beyond browsing.
### Lateral Movement
- **Date/Time:** Post-Sandbox Escape.
- **Vector:** COM Hijacking and Registry Overrides.
- **Details:** A persistent loader injected malware by overriding Windows registry entries for legitimate components (e.g., `twinapi.dll`), ensuring execution within crucial system processes like `rdpclip.exe`.
### Data Exfiltration/Impact
- **Date/Time:** Ongoing during persistence phase.
- **Impact:** Deployment of LeetAgent spyware for espionage, keylogging, file theft (targeting documents, PDFs, spreadsheets), and process injection.
### Detection & Response
- **Date/Time:** March 2025 (Discovery by Kaspersky).
- **Detection:** Kaspersky researchers identified the exploitation chain, naming the operation "ForumTroll."
- **Response actions taken:** Google issued a patch for CVE-2025-2783 (Chrome version **134.0.6998.177** or later).
## Attack Methodology
- **Initial Access:** Drive-by download exploit targeting **CVE-2025-2783** (Mojo IPC incorrect handle validation leading to sandbox escape on Windows).
- **Persistence:** COM Hijacking and registry manipulation injected a persistent loader into legitimate processes (`rdpclip.exe`).
- **Privilege Escalation:** Successful sandbox escape via the zero-day vulnerability allowed code execution in a privileged context.
- **Defense Evasion:** Payload obfuscated with **OLLVM** and encrypted using modified **ChaCha20**. Phishing validation script used **WebGPU** to confirm genuine visitor interaction, thwarting automated scanners.
- **Credential Access:** Keylogging capability inherent to the LeetAgent spyware.
- **Discovery:** Implicit within spyware functions, likely targeting specific file types (docs, PDFs, spreadsheets).
- **Lateral Movement:** Achieved through registry/component hijacking to ensure malware persistence across sessions.
- **Collection:** Targeted file theft of sensitive documents.
- **Exfiltration:** Not detailed, but implied via spyware communication.
- **Impact:** Espionage and intelligence gathering targeting critical infrastructure and government entities.
## Impact Assessment
- **Financial:** Not disclosed.
- **Data Breach:** Theft of sensitive corporate, government, and academic documents/data from compromised high-profile targets.
- **Operational:** Disruption of business processes at targeted media outlets, universities, and financial institutions due to espionage and monitoring.
- **Reputational:** Significant reputational damage to targeted organizations and increased scrutiny on Google Chrome security practices.
## Indicators of Compromise
- **Network indicators (Defanged):** (None provided in the text)
- **File indicators:** LeetAgent spyware (payload obfuscated via OLLVM and encrypted via modified ChaCha20).
- **Behavioral indicators:** Exploitation chaining involving WebGPU validation, ECDH key exchange for decryption, and use of COM hijacking targeting `twinapi.dll` for code injection into `rdpclip.exe`.
## Response Actions
*(Note: Actions listed are inferred based on the available data regarding discovery and patching)*
- **Containment measures:** (Inferred) Organizations likely disconnected infected machines upon discovery and blocked related network traffic.
- **Eradication steps:** (Inferred) Removal of the LeetAgent spyware and remediation of registry entries used for persistence.
- **Recovery actions:** (Inferred) Rebuilding systems from secure backups and enforcing immediate browser updates to version 134.0.6998.177 or higher.
## Lessons Learned
- Zero-day exploitation, even against widely used software like Chrome, remains a primary attack vector for sophisticated threat actors like Mem3nt0 mori.
- The use of multi-stage, highly customized infection chains (including WebGPU vetting) effectively bypasses traditional automated security measures.
- Insider knowledge or dedicated research (Kaspersky's GReAT team) is often required to unravel complex sandbox escape techniques involving low-level OS components (Mojo IPC, V8 inspector).
## Recommendations
- Enforce immediate patching and ensure all instances of Google Chrome are running version 134.0.6998.177 or later.
- Implement advanced endpoint detection and response (EDR) tools capable of monitoring low-level system calls, COM object manipulation, and unusual process injection into core Windows components (like `rdpclip.exe`).
- User training should be enhanced to recognize highly personalized, contextually relevant phishing attempts (e.g., specific events like Primakov Readings).