In March 2025, specialists of Kaspersky laboratories detected a targeted attack using previously unknown complex malicious software. The distribution of the malware occurred through carefully crafted phishing emails containing links to malicious websites. Upon clicking the link in the Google Chrome browser, the device would get infected without the need for any additional actions from the user.
Each link in the phishing emails was unique to the recipient and had a limited validity period. Despite this, researchers were able to identify a zero-day vulnerability in Chrome. This vulnerability allowed the malware to escape from the browser’s sandbox. More information about this vulnerability can be found here.
Upon analyzing the exploit, experts confirmed that it affected even the latest version of Chrome. The Google security team was notified, and a patch was released on March 25 to address the vulnerability CVE-2025-2783 (fix included in Chrome version 134.0.6998.177/.178).
The CVE-2025-2783 vulnerability was related to the mishandling of descriptors in the Mojo component on the Windows platform. It allowed attackers to bypass the sandbox protection without triggering any obvious security alarms. Researchers described this exploit as one of the most complex and interesting in recent years.
The target of the attack was state organizations, educational institutions, and Russian media outlets. The malicious emails were disguised as official invitations to the International Forum “Primakovsky Readings” and included links to a website that mimicked the official domain – primacovreadings [.] Info.
As of now, the malicious link redirects users to the authentic forum website, but the redirect remains potentially unsafe.
During the analysis, researchers discovered a chain of multiple exploits, with one designed to escape the sandbox and another presumably for remote code execution. The second exploit was not acquired as it would require a new wave of attacks, putting users at risk. The Google patch effectively blocks the entire exploit chain at the initial stage.
The attack was internally named “Forum troll” and is believed to be the work of a high-tech group, possibly with state support. The nature of the malware and the targeted attacks suggest espionage motives. More information about potential threats and solutions can be found here.
Some of the known compromise indicators include the Primakovreadings domain [.] Info