Operation Forumtroll: Exploiting Chrome’s Zero-Day Vulnerability For Espionage

Operation ForumTroll is an advanced persistent threat (APT) campaign that exploits a zero-day vulnerability in Google Chrome. Discovered by Kaspersky technologies in mid-March 2025, the attack primarily targeted media outlets and educational institutions. Google has released a patch on March 25, 2025 for its Chrome browser to address this bug.

Severity Level: High

THREAT DETAILS

1. Exploit Used: The attackers leveraged a now patched zero-day vulnerability (CVE-2025-2783; CVSS Score: 8.3) affecting Google Chrome versions before 134.0.6998.177/.178 for Windows. This vulnerability allowed them to escape Chrome’s sandbox security mechanism, which typically isolates web processes to prevent malicious activity from spreading to the broader system. The exploit used a logical error at the intersection of Chrome’s sandbox and Windows OS, which allowed malicious code to run without triggering typical security defenses.
2. Phishing Campaign: The malware was delivered via a highly targeted phishing campaign. The emails appeared to be legitimate invitations to the “Primakov Readings” forum. The attackers employed this social engineering tactic to lure victims into clicking on a malicious link, which then exploited the zero-day vulnerability in Chrome, leading to infection.
3. Malware: Once the exploit was successful, it allowed the deployment of sophisticated malware that could carry out espionage activities. The exact nature of the malware is still under investigation, but it appears to be designed for information gathering, specifically targeting organizations that are part of the Russian media and educational sectors.
   • Indicator of Compromise: primakovreadings[.]info

Recommendations:

1. Ensure Google Chrome for Windows is updated to version 134.0.6998.177/.178 or higher to fix CVE-2025-2783.
2. Strengthen email security by deploying advanced email filtering tools that can identify phishing attempts and malicious attachments or links.
3. Conduct regular training sessions on security best practices, including safe email handling, how to spot phishing attempts, and how to verify the legitimacy of links and attachments. Additionally, run simulated phishing campaigns to test employee vigilance.
4. Enforce MFA for accessing sensitive systems, email accounts, and services, especially for administrative accounts or high-privilege users.
5. Ensure that critical data is regularly backed up and that recovery procedures are tested.
6. Block the IOCs at their respective controls.

SOURCES:

• https://chromereleases.googleblog.com/2025/03/stable-channel-update-for-desktop_25.html
• https://securelist.com/operation-forumtroll/115989/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn.