Cybersecurity researchers have uncovered a sophisticated espionage campaign, dubbed “Operation ForumTroll,” that utilized a Google Chrome zero-day exploit to deploy a previously unseen commercial spyware. The campaign targeted various organizations in Russia and Belarus, including media outlets, universities, and government entities, with the primary goal of espionage.

Attackers initiated the infection through highly convincing spear-phishing emails disguised as invitations to the Primakov Readings forum. These emails contained personalized, short-lived links that, when visited by a Chromium-based browser, triggered the exploit without further user interaction.

Chrome Zero-Day and LeetAgent Payload

The campaign’s success hinged on CVE-2025-2783, a powerful zero-day sandbox escape vulnerability. The exploit leveraged an obscure logical flaw in how Windows API pseudo handles were processed, allowing attackers to bypass Chrome’s security measures. The initial malware deployed was a custom spyware named “LeetAgent,” which established persistence through COM hijacking and was capable of keylogging, file-stealing, and downloading additional tools.

The Rebirth of Hacking Team

Further investigation revealed that in some attacks, LeetAgent was used to launch a far more advanced payload. Researchers successfully identified this malware as “Dante,” the new flagship spyware from the Italian company Memento Labs—the rebranded successor to the notorious Hacking Team. This marks the first time Dante has been discovered in a live attack. The spyware is heavily protected with VMProtect, features extensive anti-analysis and anti-debugging techniques, and uses a modular architecture, confirming its status as a sophisticated surveillance tool built for government-level clients.

Source: https://securelist.com/forumtroll-apt-hacking-team-dante-spyware/117851/