Researchers at Kaspersky discovered cyber-espionage activity that used the vulnerability in a one-click phishing attack to deliver malware.
Google on March 25 issued a patch for a Chrome browser zero-day flaw that was exploited by an advanced persistent threat (APT) actor earlier this month in one-click phishing attacks.
The flaw, tracked as CVE-2025-2783, is related to "incorrect handle provided in unspecified circumstances in Mojo on Windows," according to Google's security bulletin for the update. Mojo is a system API used in Chromium, the open source framework that powers Chrome.
Resarchers Boris Larin and Igor Kuznetsov of Kaspersky Lab discovered the flaw — which allows for sandbox escape — being used in an attack dubbed "Operation ForumTroll" and reported it to Google on March 20, according to a blog post by Larin and Kuznetsov published on March 25.
The attack involved malware infections that "occurred immediately after the victim clicked on a link in a phishing email, and the attackers' website was opened using the Google Chrome Web browser," the researchers wrote in the post. "No further action was required to become infected."
To fix the flaw, Google updated Chromium to build 34.0.6998.177/.178 for Windows, which will roll out over the coming days and weeks to users, the company said in its alert. Users are urged to update Chrome in the meantime. As is customary, Google has not released specific technical details of the flaw, waiting until most users update their browsers.
Puzzling Sandbox Escape
The Kaspersky researchers said in the blog post that they plan to post the technical details of the flaw once the majority of users have updated their browsers; however, Larin and Kuznetsov did reveal more about the vulnerability in their description of attackers' exploitation of it.
The flaw was initially difficult for the researchers to understand. "The vulnerability CVE-2025-2783 really left us scratching our heads, as, without doing anything obviously malicious or forbidden, it allowed the attackers to bypass Google Chrome's sandbox protection as if it didn't even exist," they wrote in the post.
Eventually, they discovered the cause: a logical error at the intersection of Google Chrome's sandbox and the Windows OS.
The attack itself appears to be for cyberespionage purposes and used phishing emails that included invitations supposedly sent from the organizers of a scientific and expert forum called "Primakov Readings" to target media outlets and educational institutions in Russia. The name Operation ForumTroll was inspired by this content.
The researchers said the malicious links sent to intended victims were "personalized and had a very short lifespan," and they led immediately to malware infections once clicked on. The researchers did not describe the malware beyond calling it "sophisticated."
Moreover, the initial exploit "was designed to run in conjunction with an additional exploit that enables remote code execution (RCE)," the researchers wrote. To acquire that exploit would have required the researchers waiting for new attacks and exposing users to further infection, so they did not obtain the second exploit, they said.
Mitigation and Protection
Chrome zero-day flaws are a persistent problem for Google, which often has to respond on the fly to exploits developed by APTs and other sophisticated threat groups.
Larin and Kuznetsov said the CVE-2025-2783 exploit is no longer active at the malicious link, which now redirects visitors to the official website of Primakov Readings. However, the researchers still urged caution when opening links in unsolicited emails.
Patching the flaw via the update provided by Google "effectively blocks the entire attack chain," so both Google and the researchers urged Chrome users on Windows to update their browsers as soon as possible.
The researchers also included indicators of compromise, including code verdicts and the malicious link, in the blog post so defenders can detect potential infection or avoid compromise.