Operation ForumTroll – APT Hackers Exploit Google Chrome Zero-Day To Bypass Sandbox Protections

In mid-March 2025, cybersecurity researchers uncovered “Operation ForumTroll,” targeting Russian media outlets and educational institutions.

Victims are infected by clicking phishing links disguised as invitations to the “Primakov Readings” forum, requiring no further interaction for the sophisticated malware to deploy on vulnerable systems.

The campaign exploits a critical zero-day vulnerability (CVE-2025-2783) in Chrome that bypasses sandbox protections through a logical error at the Chrome-Windows interface, creating a significant security risk for users worldwide.

The exploit chain demonstrates advanced knowledge of browser security architecture and operating system interactions.

K7 Security Labs researchers identified this as a sophisticated state-sponsored APT operation focused on espionage activities.

They noted the phishing links were carefully personalized for each target and remained active only briefly to evade detection systems and security monitoring, indicating meticulous operational security.

Google responded quickly, patching the vulnerability on March 25 in Chrome versions 134.0.6998.177/.178 following detailed security reports from multiple research teams who identified the attack independently in different target environments.

Infection Mechanism

The advanced two-stage attack first exploits CVE-2025-2783 to escape Chrome’s sandbox, then deploys a second exploit enabling remote code execution with system-level privileges.

The infrastructure uses primakovreadings[.]info, now redirecting to the legitimate forum site.

Security researchers describe the vulnerability as particularly dangerous because it allows attackers to bypass Chrome’s sandbox “as if it didn’t exist,” effectively eliminating a critical browser security layer.

Technical analysis reveals the malware establishes persistence through registry modifications and scheduled tasks, while maintaining encrypted command-and-control communications using custom obfuscation techniques.

The payload exfiltrates sensitive documents, browser credentials, and email correspondence through a series of encrypted data transfers.

Security products detect components as Exploit.Win32.Generic, Trojan.Win64.Agent, and Trojan.Win64.Convagent.gen.

Organizations should update Chrome immediately, implement email filtering systems, and monitor network traffic for suspicious connections to prevent compromise.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free