Kaspersky reports that the first Chrome zero-day of 2025 — a sandbox escape tracked as CVE-2025-2783 — was exploited in the wild using tools connected to attacks that also involve Hacking Team’s successor spyware. A related vulnerability affecting Firefox, tracked as CVE-2025-2857, was also observed.
The campaign, labeled Operation ForumTroll, targeted organizations in Russia across sectors including education, finance, government, media, and research. Attackers lured victims with phishing emails dressed up as forum invitations, sending short-lived, customized links that redirected users to pages hosting an exploit for CVE-2025-2783.
The exploit chain validated the victim, broke out of Chrome’s sandbox, and executed shellcode to drop a malware loader. To persist, the attacker modified user registry entries to hijack Windows’ COM object search order. The final payload in this operation was LeetAgent — a leetspeak-named spyware that can receive HTTPS commands, log keystrokes, and exfiltrate files, Kaspersky says.
LeetAgent, deployed in these intrusions, can execute command-prompt instructions, spawn processes, inject shellcode, and perform file read/write operations based on instructions from its command-and-control server, which Kaspersky observed hosted on Fastly.net infrastructure. The malware has been in use since at least 2022 against targets in Russia and Belarus and has sometimes been used to stage deployments of more advanced spyware from Memento Labs (the company that evolved from Hacking Team).
Background: Hacking Team, founded in 2003 and known for its Remote Control Systems (RCS/“Da Vinci”) spyware, leaked internal data in 2015 and later reemerged under new ownership and branding — ultimately becoming Memento Labs. The firm’s newer surveillance product, Dante, bears strong functional resemblance to RCS and emphasizes evasion and modularity.
Dante uses an orchestrator that loads locally cached modules, incorporates anti-analysis checks, and will self-delete if it receives no commands within a set timeframe. Although Kaspersky did not observe Dante itself being deployed in Operation ForumTroll, the researchers found multiple overlaps between this campaign and other operations that did use Dante — including similar filesystem paths, identical persistence techniques, data hidden inside font files, and common code fragments shared among the exploit, loader, and Dante components.
Kaspersky’s analysis therefore links the ForumTroll activity to a broader toolset ecosystem that includes LeetAgent and, in other campaigns, Memento Labs’ Dante — suggesting either shared tooling, code reuse, or operator overlap among actors conducting espionage in the region.