{"id":23931,"date":"2025-03-25T17:35:37","date_gmt":"2025-03-25T21:35:37","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/forum-troll-apt-with-zero-day-vulnerability\/23931\/"},"modified":"2025-03-27T19:55:08","modified_gmt":"2025-03-27T15:55:08","slug":"forum-troll-apt-with-zero-day-vulnerability","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/forum-troll-apt-with-zero-day-vulnerability\/23931\/","title":{"rendered":"Operation ForumTroll: APT attack via zero-day vulnerability"},"content":{"rendered":"<p>Our exploit detection and prevention technologies have detected a new wave of cyberattacks with previously unknown malware. While analyzing it, our Global Research and Analysis Team (GReAT) experts realized that we\u2019re dealing with a technically sophisticated targeted attack, which suggests that a state-sponsored APT group is behind it. The attack exploited a zero-day vulnerability in the Chrome browser, which we immediately reported to Google; the company promptly <a href=\"https:\/\/chromereleases.googleblog.com\/2025\/03\/stable-channel-update-for-desktop_25.html\" target=\"_blank\" rel=\"nofollow noopener\">released a patch to fix it<\/a>.<\/p>\n<h2>What is the Operation ForumTroll APT attack?<\/h2>\n<p>The attack starts with an email with a phishing invitation to the <a href=\"https:\/\/en.wikipedia.org\/wiki\/Primakov_Readings\" target=\"_blank\" rel=\"nofollow noopener\">Primakov Readings<\/a> international economic and political science forum. There are two links in the email\u2019s body, which pretend to lead to the program of the event and the registration form for participants, but which actually lead to the malefactor\u2019s website. If a Windows PC user with the Google Chrome browser (or any other browser based on the Chromium engine) clicks them, their computer gets infected with no additional action required from the victim\u2019s side.<\/p>\n<p>Next, the exploit for the CVE-2025-2783 vulnerability comes into play \u2014 helping to circumvent the Chrome browser\u2019s defense mechanism. It\u2019s too early to talk about technical details, but the essence of the vulnerability comes down to an error in logic at the intersection of Chrome and the Windows operating system that allows bypassing the browser\u2019s sandbox protection.<\/p>\n<p>A slightly more detailed technical description of the attack along with the indicators of compromise can be found <a href=\"https:\/\/securelist.com\/operation-forumtroll\/115989\/\" target=\"_blank\" rel=\"noopener\">on our Securelist blog<\/a>. Our GReAT experts will publish a thorough technical analysis of the vulnerability and APT attack once the majority of browser users install the newly-released patch.<\/p>\n<h2>Who are the targets of the Operation ForumTroll APT attack?<\/h2>\n<p>Fake event invitations containing personalized links were sent to Russian media representatives, employees of educational institutions and governmental organizations. According to our GReAT experts the goal of the attackers was espionage.<\/p>\n<h2>How to stay safe<\/h2>\n<p>At the time of writing this post, the attack was no longer active: the phishing link redirected users to the legitimate Primakov Readings website. However, the malefactors could reactivate the exploit delivery mechanism at any time and start the next wave of the attack.<\/p>\n<p>Thanks to our experts\u2019 analysis, Google Chrome\u2019s developers have promptly fixed the CVE-2025-2783 vulnerability today, and thus we advise you to check that your organization uses the browser updated to at least the 134.0.6998.177\/.178 version.<\/p>\n<p>In addition, we recommend using <a href=\"https:\/\/me-en.kaspersky.com\/enterprise-security\/endpoint-detection-response-edr?icid=me-en_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder_______\" target=\"_blank\" rel=\"noopener\">reliable security solutions<\/a> equipped with modern exploit detection and prevention technologies on all internet-connected corporate devices. Our products successfully detect all exploits and other malware used in this APT attack.<\/p>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"mdr\"><input type=\"hidden\" class=\"placeholder_for_banner\" data-cat_id=\"mdr\" value=\"18953\">\n","protected":false},"excerpt":{"rendered":"<p>Our technologies have helped to detect the zero-day vulnerability CVE-2025-2783 in Google Chrome, which was used in a sophisticated APT attack. <\/p>\n","protected":false},"author":312,"featured_media":23932,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1318,1916,1917,1486],"tags":[477,575,268],"class_list":{"0":"post-23931","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-enterprise","9":"category-smb","10":"category-threats","11":"tag-apt","12":"tag-great","13":"tag-vulnerabilities"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/forum-troll-apt-with-zero-day-vulnerability\/23931\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/forum-troll-apt-with-zero-day-vulnerability\/28692\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/forum-troll-apt-with-zero-day-vulnerability\/28808\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/forum-troll-apt-with-zero-day-vulnerability\/28010\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/forum-troll-apt-with-zero-day-vulnerability\/30853\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/forum-troll-apt-with-zero-day-vulnerability\/29550\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/forum-troll-apt-with-zero-day-vulnerability\/39300\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/forum-troll-apt-with-zero-day-vulnerability\/53215\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/forum-troll-apt-with-zero-day-vulnerability\/22676\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/forum-troll-apt-with-zero-day-vulnerability\/32036\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/forum-troll-apt-with-zero-day-vulnerability\/28968\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/forum-troll-apt-with-zero-day-vulnerability\/34757\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/forum-troll-apt-with-zero-day-vulnerability\/34386\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/vulnerabilities\/","name":"vulnerabilities"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/23931","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/312"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=23931"}],"version-history":[{"count":3,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/23931\/revisions"}],"predecessor-version":[{"id":23952,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/23931\/revisions\/23952"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/23932"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=23931"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=23931"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=23931"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}