Chrome Zero-Day CVE-2025-2783: Italian Spyware Vendor Memento Labs

Memento Labs, an Italian spyware vendor formerly known as Hacking Team, has been linked to Operation ForumTroll. The campaign exploited CVE-2025-2783, a critical Chrome zero-day vulnerability targeting Russian organizations. Attackers deployed LeetAgent spyware through sophisticated phishing emails disguised as forum invitations. The malware utilizes VMProtect obfuscation, AES-256-CBC encryption, and establishes persistence via COM hijacking. The technical sophistication reveals concerning advancements in commercial surveillance capabilities.

Operation ForumTroll: Timeline and Targeting Strategy

Kaspersky researchers identified the cyberespionage campaign in March 2025, discovering attackers exploiting CVE-2025-2783, a severe Chrome zero-day vulnerability.

The operation strategically targeted Russian organizations across multiple sectors, including media, academia, government, and finance.

The attack methodology involved sophisticated phishing emails disguised as invitations to the Primakov Readings forum that contained personalized malicious links. Upon clicking, victims triggered automatic malware execution in Chromium-based browsers without requiring additional interaction.

Significantly, the campaign used a sandbox-escape technique to circumvent Chrome's security architecture.

Technical analysis linked the deployed malware to Memento Labs' Dante spyware, a surveillance tool previously associated with Hacking Team.

This connection suggests the operation was carried out by actors with access to commercial-grade surveillance technology rather than by typical cybercriminal groups.

Anatomy of the CVE-2025-2783 Exploit Chain

The CVE-2025-2783 exploit chain is one of the most sophisticated Chrome sandbox-escape vulnerabilities discovered in recent years. Attributed to an Italian vendor, this exploit targeted critical flaws in Chrome's IPC code that failed to correctly validate pseudo-handles, allowing attackers to convert them into legitimate thread handles.

The attack leveraged specific Windows API functions—notably GetCurrentThread and related processes—to achieve remote code execution by suspending threads and manipulating register values.

Once the Chrome sandbox was compromised, the exploit chain loaded a malicious DLL that decrypted and executed the LeetAgent spyware.

Kaspersky researchers identified this vulnerability, which Google patched in Chrome version 134.0.6998.178 on March 26, 2025.

This exploit chain exemplifies the technical sophistication of commercial spyware operations targeting browser security mechanisms.

Memento Labs: From Hacking Team to Spyware Vendor

Behind the sophisticated Chrome exploits lies an Italian company with a controversial history in the surveillance industry. Memento Labs emerged in 2019 following InTheCyber Group's acquisition of Hacking Team, rebranding the surveillance firm while maintaining its core business model.

The company has developed Dante spyware, a sophisticated tool linked to cyber-espionage campaigns, including Operation ForumTroll. Security researchers have identified Memento Labs as the source of the LeetAgent spyware, suggesting a direct connection to the recent Chrome zero-day attacks targeting government organizations.

Dante's technical architecture features advanced anti-analysis capabilities and a modular structure enabling dynamic functionality updates from command-and-control servers.

These commercial spyware products employ sophisticated obfuscation techniques and low-level Windows API calls, demonstrating the growing sophistication of private surveillance technologies marketed to government clients.

Dante and LeetAgent: Technical Capabilities and Deployment

Diving deep into the technical architecture of Memento Labs' spyware reveals sophisticated offensive capabilities designed for covert surveillance operations.

Dante employs VMProtect and AES-256-CBC encryption to evade detection, while LeetAgent demonstrates modular functionality for executing commands and exfiltrating specific file types.

These malware variants exploit the Chrome zero-day vulnerability CVE-2025-2783 to bypass sandbox protections and deploy malicious payloads.

The shared file system paths between Dante and LeetAgent strongly indicate that the same threat actor deployed them.

Persistence mechanisms include COM hijacking, in which attackers leverage legitimate CLSIDs to load malicious DLLs.

LeetAgent's communication with command-and-control servers occurs via HTTPS, enabling ongoing surveillance while maintaining operational security.

This technical infrastructure demonstrates Memento Labs' commitment to developing sophisticated surveillance tools that remain undetected on compromised systems.

Detection Methods and Incident Response Recommendations

Effective detection of Memento Labs' spyware operations requires a multi-layered security approach focusing on specific indicators of compromise.

Security researchers recommend implementing robust monitoring systems capable of detecting anomalies associated with Chrome zero-day exploits and sophisticated phishing campaigns. Kaspersky's identification of specific IOCs—including detection signatures for Trojan.Win64.Agent—provides essential threat intelligence for security teams.

When incidents occur, thorough investigation of reported phishing emails is critical, with particular attention to email headers that might reveal infection vectors.

Incident response teams should analyze malicious links and payloads to identify potential spyware deployment patterns. Organizations must prioritize regular patch management to address vulnerabilities like CVE-2025-2783, which malware developers frequently target.

Collaboration with cybersecurity firms enhances defensive capabilities against commercial spyware vendors that continually evolve their detection-avoidance techniques.

Broader Implications for the Commercial Surveillance Industry

The rise of Operation ForumTroll within the commercial surveillance landscape represents a critical turning point for cybersecurity governance and international relations. This campaign exemplifies how commercial spyware vendors like Memento Labs are weaponizing sophisticated exploits, including Chrome zero-day vulnerabilities, against targeted individuals and organizations.

The technical sophistication demonstrated in Operation ForumTroll—utilizing advanced phishing techniques and modular malware—signals an alarming evolution in cyber-espionage capabilities.

As surveillance technologies proliferate across government-backed actors, the sharing of exploitation techniques among vendors creates unprecedented risks of coordinated attacks. This interconnected ecosystem threatens not only cybersecurity infrastructure but fundamental civil liberties, particularly for dissidents and opposition figures.

The vulnerabilities exploited by Memento Labs and similar vendors underscore the urgent need for strengthened international frameworks governing the development and deployment of commercial surveillance tools.