You are currently viewing Chrome Zero-Day Exploited to Deliver Italian Memento Labs’ LeetAgent Spyware

Chrome Zero-Day Exploited to Deliver Italian Memento Labs’ LeetAgent Spyware

A zero-day vulnerability in Google Chrome, identified as CVE-2025-2783, was recently exploited in the wild to deliver the LeetAgent spyware. This spyware has been linked to the Italian vendor Memento Labs, previously known as Hacking Team. The vulnerability, a sandbox escape, allowed attackers to bypass Chrome’s security protections and target organizations in Russia and Belarus. A similar vulnerability, CVE-2025-2857, also impacted Firefox.

Operation ForumTroll

The attacks were part of a campaign named “Operation ForumTroll” and orchestrated by the APT group ForumTroll (also tracked as TaxOff/Team 46/Prosperous Werewolf). This group has been active since at least February 2024 and is known for its proficiency in the Russian language. The campaign targeted various entities, including media outlets, universities, research centers, government organizations, and financial institutions in Russia and Belarus.

The attackers used spear-phishing emails with personalized links to the Primakov Readings forum. When a user clicked on these links using Google Chrome or a Chromium-based browser, the exploit for CVE-2025-2783 was triggered, allowing the attackers to escape the browser’s sandbox and deliver tools developed by Memento Labs.

Technical Details of CVE-2025-2783

The root cause of CVE-2025-2783 lies in the incorrect handle validation within the Mojo Inter-Process Communication (IPC) system on Windows. Attackers manipulated Chrome’s IPC system to transform a pseudo-handle into a valid, usable handle within the browser process. This allowed them to execute arbitrary code with the browser’s privileges, effectively bypassing the sandbox.

LeetAgent and Dante Spyware

The attackers deployed a previously undocumented spyware called LeetAgent, known for using leetspeak in its command structure. LeetAgent is capable of connecting to a command-and-control (C2) server over HTTPS, receiving instructions to perform a range of tasks, including:

  • Running commands using cmd.exe
  • Executing processes
  • Stopping tasks
  • Injecting shellcode
  • Reading and writing files
  • Keylogging and file stealing (targeting documents, spreadsheets, and PDFs)

Kaspersky’s analysis uncovered that LeetAgent was also used to deploy another, more sophisticated spyware named Dante. Dante has code similarities with Hacking Team’s Remote Control Systems (RCS) spyware, leading researchers to attribute it to Memento Labs. Dante employs several techniques to evade detection, including VMProtect obfuscation, anti-debugging checks, and dynamic API resolution.

Tactics, Techniques, and Procedures (TTPs)

The attackers employed various MITRE ATT&CK tactics and techniques in this campaign:

  • TA0001 – Initial Access: Phishing emails were used to lure victims to malicious sites.
  • TA0002 – Execution: The CVE-2025-2783 exploit was used to achieve code execution.
  • TA0003 – Persistence: COM hijacking was used to ensure malware persistence.
  • TA0005 – Defense Evasion: Techniques such as obfuscated files and anti-debugging measures were employed.
  • TA0011 – Command and Control: LeetAgent and Dante connected to C2 servers over HTTPS.
  • TA0009 – Collection: Keylogging and file stealing were used to gather data.
  • TA0010 – Exfiltration: Data was exfiltrated over C2 channels.
  • T1566 – Phishing: Spear-phishing emails were used to deliver malicious links.
  • T1203 – Exploitation for Client Execution: CVE-2025-2783 was exploited to execute code.
  • T1547 – Boot or Logon Autostart Execution: COM hijacking ensured persistent execution.
  • T1027 – Obfuscated Files or Information: Code and data were obfuscated to evade detection.
  • T1071 – Application Layer Protocol: HTTPS was used for C2 communication.
  • T1005 – Data from Local System: Data was collected from local systems.
  • T1041 – Exfiltration Over C2 Channel: Exfiltration occurred over the C2 channel.

Mitigation & Recommendations

To protect against similar attacks, it is crucial to:

  • Update Google Chrome to version 134.0.6998.177 or later to patch CVE-2025-2783.
  • Update Firefox to version 136.0.4 to address CVE-2025-2857.
  • Enable enhanced safe browsing in Chrome to provide additional protection against malicious websites and downloads.
  • Be vigilant against phishing emails, especially those containing personalized links or invitations.
  • Monitor systems for indicators of compromise (IOCs) associated with LeetAgent and Dante spyware.

Instantly Fix Risks with Saner Patch Management

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.