Complex APT Campaign Exploits Google Chrome Zero-Day Vulnerability, Fix Available

• A sophisticated malware campaign targeted media outlets, educational institutions, and government organizations in Russia.
• Hackers sent phishing emails disguised as invitations to the high-profile "Primakov Readings" scientific forum.
• The vulnerability stemmed from a logical error at the intersection of Chrome's sandbox and the Windows operating system.

Kaspersky researchers have uncovered a sophisticated Advanced Persistent Threat (APT) campaign, dubbed "Operation ForumTroll," which exploited a zero-day vulnerability in Google Chrome to target organizations in Russia. 

The state-sponsored threat actor’s attacks utilized a complex chain of exploits and malware, the latest Kaspersky cybersecurity report said. 

The wave of attacks was detected in mid-March when Kaspersky's technologies identified a previously unknown and advanced malware strain. Victims were targeted via phishing emails containing malicious links that opened in Google Chrome. 

Notably, no further user interaction was required for the malware to execute, making the attack vector particularly effective.

These attacks exploited CVE-2025-2783, a zero-day vulnerability in Chrome’s sandbox that allowed attackers to bypass protections easily. Kaspersky immediately informed Google, enabling the tech giant to release a patched version (Chrome 134.0.6998.177/.178) on March 25, 2025. 

The vulnerability stemmed from a logical error at the intersection of Chrome's sandbox and the Windows operating system.

The phishing emails were disguised as invitations to the high-profile "Primakov Readings" scientific forum, targeting media outlets, educational institutions, and government organizations in Russia. 

Kaspersky has indicated that the attackers used a short-lived malicious link that now redirects to the event's official website.

Given the malware's complexity, Kaspersky researchers believe the campaign aimed at espionage, with the operation’s sophisticated methods, including personalized malware and exploit usage, pointing to a state-sponsored APT group.

The attack relied on an additional exploit enabling remote code execution (RCE), which Kaspersky’s research team was unable to obtain. Luckily, patching CVE-2025-2783 effectively neutralizes the entire attack chain by blocking sandbox escape, the first critical step in the exploit.

Kaspersky products detect the attack with verdicts such as:

• Exploit.Win32.Generic
• Trojan.Win64.Agent
• Trojan.Win64.Convagent.gen
• PDM:Exploit.Win32.Generic
• PDM:Trojan.Win32.Generic
• UDS:DangerousObject.Multi.Generic

Kaspersky plans to release a detailed technical report about CVE-2025-2783, the associated malware, and the attackers' techniques to enhance industry awareness once the majority of users have updated their systems.