Operation ForumTroll is characterized by a wave of infections triggered by targeted phishing emails that enticed users to click on malicious links. Kaspersky successfully identified a zero-day exploit, CVE-2025-2783, used to bypass Google Chrome’s sandboxing features, revealing the malware’s sophisticated attack chain designed primarily for espionage. The spyware, known as Dante, is attributed to Memento Labs, previously known as Hacking Team, which rebranded and developed this commercial spyware following a significant data leak.
The attackers employed advanced techniques, including a return-oriented programming approach for privilege escalation and evasion from security mechanisms. Persistence was achieved through COM hijacking, allowing the malware to execute covertly within system processes. The malware functions primarily using leetspeak for commands and is equipped with capabilities to steal sensitive information through keylogging and file-stealing tasks.
Detailed analysis indicates a high likelihood of future attacks leveraging similar vulnerabilities and spyware capabilities, highlighting the importance of ongoing vigilance against such sophisticated threats. Kaspersky’s report brings attention not only to the specific threats posed by the ForumTroll APT group but also to the broader implications of commercial spyware on cybersecurity and national security.
👉 Pročitaj original: Kaspersky Securelist
