OperationForumTroll: Sophisticated Malware Bypasses Chrome’s Sandbox via CVE-2025-2783
Do Son 
In March 2025, experts from Kaspersky Lab identified a targeted attack involving previously unknown, sophisticated malware. The infection spread via meticulously crafted phishing emails containing links to malicious websites. Merely clicking the link in Google Chrome was enough to trigger the compromise—no further user interaction was required.
Each link was uniquely generated for its intended recipient and was time-limited. Nevertheless, researchers managed to confirm the exploitation of a zero-day vulnerability in Chrome, which was used to escape the browser’s sandbox.
Upon analyzing the exploit, specialists successfully reconstructed its logic and confirmed that it affected even the latest version of Chrome. A notification was promptly sent to Google’s security team, which released a patch on March 25 to address the vulnerability identified as CVE-2025-2783. The fix was included in Chrome versions 134.0.6998.177 and .178.
CVE-2025-2783 stems from improper handling of descriptors in the Mojo component on the Windows platform. This flaw allowed attackers to bypass Chrome’s sandbox protections without executing overtly malicious actions, effectively rendering the sandbox useless. The root cause was a logical flaw in the interaction between Chrome’s sandbox and the operating system. According to researchers, this is one of the most intricate and compelling exploits observed in recent times.
The attack targeted government agencies, educational institutions, and Russian media outlets. All malicious emails were disguised as official invitations to the international forum “Primakov Readings” and contained links leading to a site with a domain nearly identical to the legitimate one—primakovreadings[.]info.
At the time of publication, the malicious link redirects users to the genuine forum website, though navigating to it remains unsafe.
During the investigation, a chain of multiple exploits was uncovered. One was used to escape the sandbox; another, presumably, for remote code execution. However, researchers were unable to obtain the second exploit, as doing so would have required awaiting a new wave of attacks—an unacceptable risk to users. Google’s patch effectively neutralizes the entire attack chain at its initial stage.
Internally, the operation has been dubbed “ForumTroll.” All signs point to a highly sophisticated APT group, likely backed by a nation-state. The nature of the malware and the attack scenario strongly suggest an espionage-driven campaign.
Known indicators of compromise at this stage include the domain primakovreadings[.]info.
