A Chrome zero-day that Google quietly patched in March wasn’t just another browser bug. It became the launchpad for an espionage campaign that resurrects a page from a past cybersecurity playbook.
According to new report by Kaspersky, attackers used CVE-2025-2783, a sandbox-escape vulnerability, to deliver a new Memento Labs spyware dubbed LeetAgent against Russian and Belarusian targets. The operation shows that commercial spyware, once shamed into the shadows after Hacking Team’s 2015 breach, is back in circulation. This time it’s piggybacking on mainstream software flaws rather than exotic implants.
Memento Labs is a commercial spyware and intrusion vendor, not a dark-web hacking group. It’s the successor to Hacking Team, a Milan-based surveillance-technology firm that for years sold lawful-intercept and intrusion tools to government and law-enforcement clients. After Hacking Team was hacked in 2015 and its exploits leaked, it was acquired by InTheCyber Group and rebranded as Memento Labs in 2019.
Like NSO Group, Memento Labs operates in the “lawful intercept” or commercial surveillance market — meaning it develops and sells hacking and data-exfiltration tools such as LeetAgent and Dante to vetted state or corporate customers under export-license regimes. Both firms claim their products are for government use against criminal or national-security targets.
Memento Labs occupies the same controversial space as NSO Group, Intellexa, and RCS Labs. Each of these are commercial vendors that build government-grade spyware which often ends up in geopolitical or domestic-surveillance operations.
For security leaders, this isn’t a one-off anomaly. The incident fits a broader resurgence of “mercenary” surveillance-ware trends of 2024 and 2025, Kaspersky points out. Examples include NSO Group’s Pegasus has been linked to government surveillance of journalists and activists, the Intellexa alliance’s Predator tool was deployed against U.S. and European lawmakers, and the Atlantic Council’s “Mythical Beasts” report calls these vendors part of a growing global market for privatized surveillance.
From Exploit to Vulnerabilities
According to the Kaspersky report, Memento Labs exploit of the Chrome zero-day demonstrate a shift among similar vendors where they increasingly rely on browser and mobile zero-days rather than bespoke implants. For defenders, this campaign is a perfect example of how espionage threats now blend into ordinary vulnerability management cycles. Kaskpersky notes defenders are often one missed patch away from compromise.
The exploited bug, CVE-2025-2783, allowed attackers to escape Chrome’s sandbox via a Windows handle quirk in Chrome’s Mojo IPC code. Google patched the flaw in Chrome 134.0.6998.177/.178 for Windows on March 25, describing it as an “incorrect handle” issue. The U.S. National Vulnerability Database assigned a CVSS 8.3 score and confirmed active exploitation before the fix.
Kaspersky says victims received short-lived phishing links disguised as invitations to the Primakov Readings forum. Clicking the link in Chrome or another Chromium-based browser was enough to trigger the exploit and execute code outside the sandbox. The campaign, dubbed Operation ForumTroll, overlaps with clusters tracked as TaxOff and Team 46 by Positive Technologies and as Prosperous Werewolf by BI.ZONE.
Simple Spear Phishing vs. Spray and Pray
“This was a targeted spear-phishing operation, not a broad, indiscriminate campaign,” said Boris Larin, principal security researcher with Kaspersky’s Global Research and Analysis Team (GReAT), who authored the firm’s Securelist report detailing the operation.
Larin said the phishing emails were written in fluent Russian and appeared to come from organizers of the Primakov Readings forum, a well-known policy event, but subtle linguistic errors suggested the senders were not native speakers.
“We observed multiple intrusions against organizations and individuals in Russia and Belarus, with lures aimed at media outlets, universities, research centers, government bodies, financial institutions, and others,” he said.
The Exploit Chain in Brief
Kaspersky’s reconstruction of CVE-2025-2783 describes an unusual logic flaw. Chrome’s IPC broker failed to filter a pseudo-handle constant used by Windows to reference the current thread. When the broker duplicated this pseudo handle, it converted it into a real handle in the browser process, letting attacker-supplied code execute outside the renderer sandbox. Mozilla later reviewed its own code and found a similar bug, issuing CVE-2025-2857 for Firefox.
Persistence relied on COM hijacking of legitimate Windows components to ensure the malicious loader executed on system start. That loader decrypted the spyware using a modified ChaCha20 algorithm and bound it to the infected machine’s BIOS UUID to prevent reuse elsewhere.
A pattern, not a fluke
Positive Technologies documented similar use of CVE-2025-2783 by the TaxOff group earlier this year to deliver a backdoor named Trinper. Analysts at the firm concluded that TaxOff and Team 46 likely represent the same operator. The overlaps in exploit code and persistence between those intrusions and Kaspersky’s ForumTroll cluster point to a single toolset shared across operations.
For incident-response and threat-intel teams, the takeaway is that commercial spyware vendors and state-aligned actors are now using identical delivery chains. As Kaspersky’s researchers put it, the espionage market has learned to rent the same exploits as criminals and to disappear back into legitimate supply chains once the patch is out.
Kaspersky said while the bug is patched, the lesson is clear. When old surveillance vendors resurface inside modern zero-day chains, the real story isn’t the sandbox escape it’s how quickly the line between private exploit sales and government espionage has blurred.
