A critical zero-day security flaw in Google Chrome, identified as CVE-2025-2783, has been actively exploited to distribute the espionage-related tool known as LeetAgent spyware. This sophisticated spyware originates from the Italian information technology and services provider, Memento Labs. New findings from Kaspersky confirm the exploitation of this now-patched vulnerability.

Understanding the Exploitation Campaign

The campaign leveraging CVE-2025-2783 has been dubbed Operation ForumTroll by Kaspersky. It specifically targets organizations located in Russia. Other cybersecurity firms track this cluster under different names, including TaxOff/Team 46 by Positive Technologies and Prosperous Werewolf by BI.ZONE. Evidence shows that this operation has been active since at least February 2024.

The infection process involved sending highly personalized, short-lived phishing emails. These emails contained links inviting recipients to the Primakov Readings forum. Clicking these malicious links via Google Chrome or any Chromium-based web browser was sufficient to trigger the exploit for CVE-2025-2783, allowing attackers to bypass browser security measures.

The Vulnerability: CVE-2025-2783

The vulnerability in question, CVE-2025-2783, carries a CVSS score of 8.3, indicating a high severity risk. Kaspersky initially disclosed this flaw in March 2025, confirming its active exploitation. It is categorized as a sandbox escape vulnerability, which enabled attackers to break out of the confined and secure environment of the browser’s sandbox once the exploit was triggered, facilitating the delivery of the LeetAgent spyware.