Full Report
A zero-day vulnerability in Google Chrome exploited in Operation ForumTroll earlier this year delivered malware linked to Italian spyware vendor Memento Labs, born after IntheCyber Group acquired the infamous Hacking Team. [...]
Analysis Summary
# Italian Spyware Vendor Linked to Chrome Zero-Day Attacks
Italian spyware vendor Memento Labs is linked to the exploitation of a zero-day vulnerability in Google Chrome, used in Operation ForumTroll earlier this year.
## Key Points
- A zero-day vulnerability in Google Chrome was exploited in Operation ForumTroll, delivering malware linked to Italian spyware vendor Memento Labs.
- The campaign targeted Russian organizations, including media outlets, universities, research centers, government organizations, and financial institutions.
- Kaspersky researchers attributed the attacks to Memento Labs, citing similarities with Hacking Team's RCS malware.
## Threat Actors
- **Memento Labs**: An Italian spyware vendor, formerly part of Hacking Team, acquired by InTheCyber Group in 2019.
- **InTheCyber Group**: A company that acquired Hacking Team's assets and formed Memento Labs.
## TTPs
- Exploiting CVE-2025-2783, a sandbox escape zero-day in the Chrome browser.
- Using phishing emails with personalized links to compromise targets.
- Installing LeetAgent, a modular spyware that supports command execution, file operations, keylogging, and data theft.
## Affected Systems
- Chromium-based web browsers (e.g., Google Chrome).
- Targeted organizations in Russia, Belarus, and potentially other countries.
## Mitigations
- Apply the latest Chrome browser patch (version 134.0.6998.178 or later) to fix CVE-2025-2783.
- Use a reputable antivirus solution to detect and block LeetAgent malware.
- Implement robust security measures, such as two-factor authentication and regular software updates.
## Conclusion
Memento Labs' involvement in Operation ForumTroll highlights the ongoing threat of advanced spyware tools. Organizations should prioritize browser patching, implement robust security controls, and remain vigilant against targeted attacks.