That the Google Chrome web browser is under seemingly constant attack should come as no surprise to anyone. After all, with 3.5 billion users, it’s by far the most popular browser on the planet and, as such, a massive target for any hacker. Thankfully, Google’s security team is not adverse to releasing emergency security updates as critical vulnerabilities are disclosed, most recently with two in the space of just two weeks. Such was also the case back in March when the CVE-2025-2783 Chrome security sandbox-escaping vulnerability was confirmed as being exploited in the wild to attack targets in Russia. Now, Boris Larin, a principal security researcher with Kaspersky, has revealed how that attack, known as Operation ForumTroll, is thought to have been carried out using tools linked to Hacking Team spyware.
The ForumTroll Chrome Security Sandbox Escape Attack Explained
The Operation ForumTroll attacks started in March 2025, when Kaspersky first detected a surge in malware infections being distributed to primarily Russia-based targets using good old-fashioned phishing links in emails. These links, once clicked, took the victim, for that is what they now were, to a malicious site where no further action was required to initiate the infection, provided that the Chrome, or a Chrome-based, browser was being used. The “sophisticated aged zero-day exploit” being employed was, according to Larin in a newly published technical analysis, confirmed by Google’s security team and identified as CVE-2025-2783.
The Russian targets included “media outlets, universities, research centers, government organizations, financial institutions, and other organizations,” Larin said, and “the functionality of the malware suggests that the operation’s primary purpose was espionage.”
Kaspersky has warned that, despite Google patching the vulnerability and killing off the exploit on March 25, we could see more such exploits. “In fact,” Larin said, “this represents a whole class of vulnerabilities worth hunting for – similar issues may still be lurking in other applications and Windows system services.”
During the Kaspersky analysis, an as-of-then unknown malware strain, ultimately identified as Dante, a commercial spyware tool developed by the Italian company Memento Labs, which was formerly known as Hacking Team, Kaspersky confirmed. I have reached out to Memneto Labs for a statement.
“While everyone in the industry knows that spyware vendors exist,” Larin concluded, “their ‘products’ are rarely discovered or identified. Meanwhile, the list of companies developing commercial spyware is huge.” Who was responsible for Operation ForumTroll remains unknown. Still, the analysis is a timely reminder that commercial spyware can be used in such campaigns by state-sponsored threat actors or by criminals if they get their hands on the code. Meanwhile, keep updating, and relaunching, your Chrome browser without delay.
