In mid-March 2025, Kaspersky researchers uncovered a sophisticated APT attack, dubbed Operation ForumTroll, which leveraged a previously unknown zero-day exploit in Google Chrome.
This exploit allowed attackers to bypass Chrome’s sandbox protections, a critical security feature designed to isolate and contain malicious code.
The attack was initiated through personalized phishing emails, which directed victims to malicious links that, when opened in Google Chrome, immediately infected the system without requiring any additional user interaction.
Technical Details of the Exploit
The exploit, identified as CVE-2025-2783, was particularly noteworthy due to its ability to bypass Chrome’s sandbox by exploiting a logical error at the intersection of Chrome’s sandbox and the Windows operating system.
Kaspersky’s exploit detection technologies successfully identified and analyzed the exploit, enabling the company to report the vulnerability to Google.
As a result, Google released an update on March 25, 2025, to address the issue, effectively blocking the attack chain by patching the sandbox escape vulnerability.
Although the second exploit required for remote code execution was not obtained, patching the first vulnerability effectively neutralized the attack.
Attack Campaign and Targets
Operation ForumTroll targeted media outlets and educational institutions in Russia, with the phishing emails masquerading as invitations to the “Primakov Readings” scientific and expert forum.
The sophistication of the malware and the tactics employed suggest that the attack was conducted by a state-sponsored APT group, with espionage likely being the primary goal.
The attackers’ use of highly personalized and short-lived malicious links added to the complexity and stealth of the operation.
Kaspersky plans to release a detailed report on the technical aspects of the exploit and the attackers’ techniques once a significant portion of users have updated their browsers to the patched version.
Are you from SOC/DFIR Teams? – Analyse Malware, Phishing Incidents & get live Access with ANY.RUN -> Start Now for Free.
