Kaspersky has published further technical details of an espionage campaign that used a Chrome sandbox escape to deliver malware linked to the Italian spyware vendor Memento Labs. The report expands on the attack chain used in what security firms have called Operation ForumTroll.
Operation ForumTroll targeted Russian organizations including media outlets, universities, research centres, government bodies and financial institutions with tailored invitations to the Primakov Readings forum that contained a malicious link. Kaspersky said simply loading the link in a Chromium-based browser could trigger exploitation of CVE-2025-2783 and result in system compromise.
Researchers described the attack chain as using the Chrome sandbox escape to run shellcode in the browser process, install a persistent loader that injects a malicious DLL, and decrypt a primary payload known as LeetAgent. Kaspersky reported that LeetAgent is modular and supports command execution, file operations, keylogging and data theft, and noted its use of leetspeak in command implementation.
Tracing activity back to 2022, Kaspersky identified instances where LeetAgent was used to drop another spyware family called Dante. The company attributed Dante to Memento Labs with high confidence based on code similarities to the Remote Control System (RCS) produced by the former Hacking Team, which was acquired by InTheCyber Group and reconstituted as Memento Labs.
Kaspersky said Dante is a modular implant that retrieves components from a command-and-control server and is designed to remove itself and traces of its activity if it cannot reach its C2 for a set period. The researchers were unable to recover Dante modules for analysis, so the malware’s full capabilities remain undocumented, and they cautioned that the author of the Chrome sandbox-escape zero-day could be a different entity.
Google fixed CVE-2025-2783 in Chrome version 134.0.6998.178 on March 26, and Mozilla addressed the related issue in Firefox as CVE-2025-2857 in version 136.0.4.