Overview
- Kaspersky detailed Operation ForumTroll, where personalized, short‑lived phishing links exploiting CVE‑2025‑2783 infected targets upon visit in Chrome and other Chromium browsers.
- The campaign focused on organizations in Russia and Belarus and used a validator phase to fingerprint real browsers, with techniques including WebGPU checks and ECDH key exchange.
- LeetAgent emerged as a modular backdoor with leetspeak commands for code execution, file operations, keylogging and data theft, delivered via a persistent loader after the sandbox escape.
- Investigators identified a more advanced commercial spyware, Dante, attributed to Memento Labs via an embedded name and code overlaps with Hacking Team’s RCS; in some incidents LeetAgent launched Dante, and overlaps included COM hijacking, file paths and data hidden in font files.
- Google fixed CVE‑2025‑2783 on March 26 (Chrome 134.0.6998.178), Mozilla addressed a related issue as CVE‑2025‑2857, Kaspersky published IOCs for LeetAgent and Dante, and open questions remain about unrecovered Dante modules and the Chrome exploit’s author; Memento Labs has not commented.