Google Chrome Zero-Day Delivers Memento Spyware

A zero-day vulnerability in Google Chrome, CVE-2025-2783, was actively exploited in early 2025 by attackers using spyware linked to Memento Labs (formerly Hacking Team), a notorious Italian surveillance. The exploit was used in a campaign dubbed Operation ForumTroll, targeting Russian and Belarusian organizations through phishing emails with short-lived links that triggered a Chrome sandbox escape.

About the Vulnerability

CVE-2025-2783 is a sandbox escape flaw in Chrome, allowing attackers to break out of browser confinement.
The exploit leveraged a logic bug in Chromium’s Mojo IPC mechanism, enabling privilege escalation on Windows systems.
Google patched the vulnerability after disclosure in March 2025, but attacks had already occurred against government, media, and financial entities.

The Espionage Tool: Dante

Memento Labs’ Dante spyware was delivered via the exploit and represents the successor to the Hacking Team’s “Remote Control Systems” (RCS) kit.
Dante features advanced anti-analysis, VMProtect obfuscation, and AES-256-CBC encryption; it ties infections to system hardware, detects sandboxes and debugging, and uses modular architecture for surveillance.
Kaspersky researchers identified unique code and persistence mechanisms linking Dante and the campaign infrastructure, noting strong overlaps with previous Hacking Team operations.
The campaign also deployed custom malware named LeetAgent in some cases, and code connections tied both toolsets to Memento Labs.

Attribution and Impact

Memento Labs, rebranded in 2019 after a major breach, maintains offensive cyber capabilities, selling them to governments and corporate clients.
Analysts warn that flaws in Windows’ DuplicateHandle API enabled the exploit and recommend urgent Chrome updates for enterprise environments.
The attack campaign may have broader implications for commercial spyware development and international cyber-espionage activities.

Key Indicators and Recommendations

Look for anomalies related to Chrome sandboxing, suspicious process handle manipulation, and rare persistence methods (COM hijacking, font file data storage).
Organizations using Chrome or Chromium-based browsers should apply the latest security updates and monitor for the use of obfuscated, modular spyware attributed to Memento Labs.
The campaign demonstrates ongoing risk from commercial surveillance vendors leveraging zero-days and complex, evasive malware in APT operations.

The CVE-2025-2783 exploit chain targets Chrome’s sandbox protection on Windows, using a vulnerability in the Mojo Inter-Process Communication (IPC) component to escape the browser sandbox and gain code execution on the host system. Below are the core technical details:

Technical Exploit Chain

Vulnerability Location: Mojo IPC in Chromium (used by Chrome), specifically on Windows before version 134.0.6998.177.
Flaw Type: Logic error resulting in incorrect handle validation and management.
Root Cause: Insufficient validation of user-supplied input in Mojo IPC messages from renderer process to browser host, allowing attackers to craft malicious messages triggering unintended behavior outside the sandbox.
Exploit Steps:

Initial Access: Delivered via phishing emails or a malicious site; user clicks a crafted link.
Sandbox Escape: Malicious Mojo IPC message sent from compromised renderer leads to a host process returning a privileged handle incorrectly.
Code Execution: Attacker escapes sandbox and runs arbitrary code as the browser’s host process, allowing persistence, malware deployment, and lateral movement.

Chained Exploits: In actual attacks (Operation ForumTroll), CVE-2025-2783 was used as the second stage following a remote code execution (RCE) exploit, maximizing the attacker’s access.
User Interaction: Exploit requires user action (clicking a malicious link), but no authentication or privilege escalation is needed.

Severity, Scope, and Impact

Severity: CVSS score ranges from 8.3 to 8.8 (“High”), as it leads to sandbox escape, full system compromise, and possible data exfiltration.
Scope Change: The exploit allows switching from sandbox context to full host context (scope changed).
Impact: Attackers can execute arbitrary commands, gain persistence, alter browser/system data, and launch further attacks on the system.