Overview
- Kaspersky reports Operation ForumTroll targeted Russian government, media, financial, academic and research entities, with related activity also seen in Belarus.
- Infections were triggered by personalized links that led to briefly active sites exploiting CVE-2025-2783 in Chromium browsers.
- The primary payload observed was a backdoor Kaspersky calls LeetAgent, named for its leetspeak command syntax.
- Code and tooling overlaps tie ForumTroll activity to Dante, a commercial spyware product attributed to Memento Labs, though Dante was observed in separate attacks linked to the group.
- Google has patched the reported flaw after Kaspersky’s alert, and Kaspersky says further indicators and technical details will be shared with Threat Intelligence Portal subscribers as Memento Labs declined comment.