Our exploit detection and prevention technologies have detected a new wave of cyberattacks with previously unknown malware. While analyzing it, our Global Research and Analysis Team (GReAT) experts realized that we’re dealing with a technically sophisticated targeted attack, which suggests that a state-sponsored APT group is behind it. The attack exploited a zero-day vulnerability in the Chrome browser, which we immediately reported to Google; the company promptly released a patch to fix it.

What is the Operation ForumTroll APT attack?

The attack starts with an email with a phishing invitation to the Primakov Readings international economic and political science forum. There are two links in the email’s body, which pretend to lead to the program of the event and the registration form for participants, but which actually lead to the malefactor’s website. If a Windows PC user with the Google Chrome browser (or any other browser based on the Chromium engine) clicks them, their computer gets infected with no additional action required from the victim’s side.

Next, the exploit for the CVE-2025-2783 vulnerability comes into play — helping to circumvent the Chrome browser’s defense mechanism. It’s too early to talk about technical details, but the essence of the vulnerability comes down to an error in logic at the intersection of Chrome and the Windows operating system that allows bypassing the browser’s sandbox protection.

A slightly more detailed technical description of the attack along with the indicators of compromise can be found on our Securelist blog. Our GReAT experts will publish a thorough technical analysis of the vulnerability and APT attack once the majority of browser users install the newly-released patch.

Who are the targets of the Operation ForumTroll APT attack?

Fake event invitations containing personalized links were sent to Russian media representatives, employees of educational institutions and governmental organizations. According to our GReAT experts the goal of the attackers was espionage.

How to stay safe

At the time of writing this post, the attack was no longer active: the phishing link redirected users to the legitimate Primakov Readings website. However, the malefactors could reactivate the exploit delivery mechanism at any time and start the next wave of the attack.

Thanks to our experts’ analysis, Google Chrome’s developers have promptly fixed the CVE-2025-2783 vulnerability today, and thus we advise you to check that your organization uses the browser updated to at least the 134.0.6998.177/.178 version.

In addition, we recommend using reliable security solutions equipped with modern exploit detection and prevention technologies on all internet-connected corporate devices. Our products successfully detect all exploits and other malware used in this APT attack.

Kaspersky official blog – ​Read More