Kaspersky technologies identified a sophisticated wave of malware infections targeting various organizations through phishing emails leading to malicious links. A critical zero-day vulnerability in Google Chrome, identified as CVE-2025-2783, allowed attackers to bypass the browser’s sandbox. The malware campaign, dubbed Operation ForumTroll, aimed at espionage targeting media outlets and government entities in Russia. Affected: Google Chrome, Russian media outlets, educational institutions, government organizations
Keypoints :
- Kaspersky detected a wave of sophisticated malware infections in March 2025.
- The infections occurred via phishing emails containing links that opened in Google Chrome.
- Clicking on these links initiated the infection without any further user actions necessary.
- The malware used a zero-day exploit, CVE-2025-2783, to escape Google Chrome’s sandbox.
- Following Kaspersky’s report, Google fixed the vulnerability and released an update on March 25, 2025.
- The attackers aimed for espionage, targeting media, educational institutions, and government organizations in Russia.
- The campaign was named Operation ForumTroll.
- Current links redirect to the legitimate “Primakov Readings” website and are inactive at the moment.
- The exploit discovered was linked to a second exploit intended for remote code execution.
- Kaspersky’s products can detect the malicious exploits and malware involved.
MITRE Techniques :
- T1203 – Exploitation for Client Execution: Exploit used to bypass sandbox protections in Google Chrome.
- T1202 – Indirect Command Execution: Attackers execute malware through phishing email links leading to an exploit.
- T1071.001 – Application Layer Protocol: Use of HTTP for delivering malicious payloads via phishing emails.
Indicator of Compromise :
- [Domain] primakovreadings[.]info
Full Story: https://securelist.com/operation-forumtroll/115989/