Zero-Day Used to Deploy Malware in Operation ForumTroll
While Google has yet to disclose full details of the attacks, Kaspersky’s analysis revealed that CVE-2025-2783 was used in a sophisticated cyber-espionage campaign dubbed Operation ForumTroll.
Operation ForumTroll phishing email (Kaspersky)
Attackers exploited the Chrome zero-day to bypass sandbox protections and infect victims with advanced malware. The campaign relied on phishing emails impersonating invitations from a Russian scientific and expert forum, Primakov Readings. These fraudulent emails targeted media outlets, educational institutions, and government organizations across Russia.
Victims who clicked on malicious links in these emails were redirected to the primakovreadings[.]info domain, where the exploit was triggered, allowing attackers to gain remote control of compromised systems.
Second Exploit Discovered in the Attack Chain
During their investigation, Kaspersky researchers also discovered that attackers used a second exploit in conjunction with the Chrome zero-day. While details of this additional exploit remain undisclosed, Kaspersky confirmed that patching Chrome will disable the entire exploit chain and prevent further infections.
“While research is still ongoing, judging by the functionality of the sophisticated malware used in the attack, the attackers’ goal was likely espionage,” Kaspersky said.