Google has released an emergency patch for a high-severity Chrome vulnerability actively exploited by a state-sponsored threat actor in an ongoing cyber-espionage campaign. The flaw, tracked as CVE-2025-2783, allowed attackers to escape Chrome’s sandbox protections and deploy malware through one-click phishing links.
Kaspersky researchers uncovered the exploit as part of “Operation ForumTroll,” targeting Russian media and academic organizations.
This marks the first Chrome zero-day patched in 2025 and highlights the increasingly sophisticated tactics employed by advanced persistent threat (APT) groups. The vulnerability, found in Mojo, a Chromium component, enabled full compromise without requiring further user interaction after a link was clicked.
Why It Matters: The exploitation of CVE-2025-2783 demonstrates how quickly APT actors can weaponize zero-day flaws for real-world espionage. With targets infected instantly via phishing links and sandbox protections bypassed, this incident emphasizes the urgency of browser security and timely patching, especially for high-risk users and organizations.
- Zero-Day Flaw and Attack Mechanics: CVE-2025-2783 is a sandbox escape vulnerability caused by an “incorrect handle” issue in Chromium’s Mojo system on Windows, which governs inter-process communication. Attackers exploited this flaw to silently break out of Chrome’s sandbox environment, the browser’s last line of defense against malicious code execution. What made the attack especially dangerous was its simplicity: a victim merely had to click on a phishing link. No further interaction or download was necessary, as the malware was triggered the moment the malicious site loaded in Chrome.
- Discovery and Attribution: The vulnerability was uncovered by Kaspersky researchers Boris Larin and Igor Kuznetsov, who reported it to Google on March 20. Their investigation revealed a highly targeted and stealthy cyber-espionage campaign they dubbed Operation ForumTroll, referencing the phishing emails’ content, which impersonated invitations to a real event, the Primakov Readings, a known Russian academic and policy forum. The attackers demonstrated deep knowledge of their targets, crafting personalized emails and using short-lived, custom links to evade detection and tracking.
- Targets and Intent of the Espionage Campaign: The phishing campaign primarily targeted Russian media outlets, academic institutions, and possibly government-related organizations. The malware, though not extensively detailed by Kaspersky, was described as “sophisticated,” implying advanced capabilities such as data exfiltration, persistent access, or surveillance. Indicators of compromise (IOCs) were shared to help defenders detect potential infections in targeted networks.
- Google’s Emergency Patch: Google released a patch for Chrome on March 25, updating the browser to version 134.0.6998.177/.178 on Windows. Although Google withheld full technical details, the company confirmed that the vulnerability had been exploited in the wild and encouraged all users to update their browsers immediately. The fix is rolling out progressively but is already available for manual installation. Google is expected to release more information after the majority of users have updated, in line with its responsible disclosure policy for actively exploited zero-days.
- Additional Exploits and Threat Context: According to Kaspersky, the sandbox escape was just one part of a broader, more complex attack chain. The attackers also utilized a second exploit to achieve remote code execution (RCE), which would allow full control over the infected system. However, researchers opted not to capture the RCE exploit to avoid endangering additional users during live attacks. They emphasized that patching Chrome breaks the entire attack chain, rendering both the sandbox escape and any additional exploits ineffective. Given the technical sophistication and precise targeting, Kaspersky strongly suspects the threat actor behind Operation ForumTroll is a state-sponsored APT group.
Go Deeper -> Google fixes Chrome zero-day exploited in espionage campaign – Bleeping Computer
Google Hastily Patches Chrome Zero-Day Exploited by APT – Dark Reading
