Skip to main content

On This Page
← AI News
AI News Cyber Security Malware Analysis

Chrome Zero-Day Exploit Linked to Memento Labs' LeetAgent Spyware Campaign

4 min read
Share

These articles are AI-generated summaries. Please check the original sources for full details.

Chrome Zero-Day Exploit Linked to Memento Labs’ LeetAgent Spyware Campaign

A critical zero-day vulnerability in Google Chrome (CVE-2025-2783) was exploited to deliver Memento Labs’ LeetAgent spyware, targeting Russian organizations and individuals through spear-phishing campaigns. The exploit, part of Operation ForumTroll, is linked to multiple APT groups and highlights the misuse of surveillance tools originally intended for law enforcement.

Vulnerability and Exploit Details

CVE-2025-2783: The Exploited Flaw

  • CVSS Score: 8.3 (high severity)
  • Nature: Sandbox escape vulnerability in Chromium-based browsers
  • Discovery: Disclosed by Google in March 2025, patched by October 2025
  • Exploitation Timeline: Active since at least February 2024, with Kaspersky documenting its use in Operation ForumTroll (2025)
  • Tracking Names: TaxOff/Team 46 (Positive Technologies), Dante APT (F6), Prosperous Werewolf (BI.ZONE)

Attack Vector

  • Delivery Method: Phishing emails with personalized, short-lived links to the Primakov Readings forum
  • Trigger: Clicking the link in Chrome or Chromium-based browsers exploits the vulnerability to achieve remote code execution
  • Payload: Drops a loader to deploy LeetAgent, a spyware developed by Memento Labs

Memento Labs and Its Controversial Background

Company Overview

  • Founded: April 2019 via merger of HackingTeam and InTheCyber Group
  • History:
    • HackingTeam was infamous for selling surveillance tools to governments, including the Tor browser monitoring software
    • 2015 Data Leak: Hundreds of gigabytes of internal data, including VectorEDK (later used in MosaicRegressor UEFI bootkit)
    • 2016 License Revocation: Italian authorities revoked its export license outside Europe

Recent Involvement

  • LeetAgent: A spyware with leetspeak-based commands, linked to Operation ForumTroll
  • Confirmation: Memento Labs CEO Paolo Lezzi confirmed the spyware belongs to the company, attributing its misuse to a government customer using an outdated Windows version of Dante (a predecessor to LeetAgent)

Spyware Capabilities and Command Set

LeetAgent is a highly versatile backdoor with the following command set:

  • 0xC033A4D (COMMAND): Run command via cmd.exe
  • 0xECEC (EXEC): Execute arbitrary processes
  • 0x6E17A585 (GETTASKS): Retrieve active tasks
  • 0x6177 (KILL): Terminate tasks
  • 0xF17E09 (FILE \x09): Write files to disk
  • 0xF17ED0 (FILE \xD0): Read files from disk
  • 0x1213C7 (INJECT): Inject shellcode into processes
  • 0xC04F (CONF): Configure communication parameters
  • 0xD1E (DIE): Terminate the agent
  • 0xCD (CD): Change working directory
  • 0x108 (JOB): Harvest files with extensions like .doc, .pdf, .xls, etc.

Persistence Mechanism: COM-hijacking to ensure long-term access. Data is hidden in font files and obfuscated to evade detection.

Campaign Scope and Targeting

Targeted Sectors

  • Russia and Belarus: Media outlets, universities, research centers, government agencies, financial institutions
  • Method: Spear-phishing with tailored lures, not mass distribution

Overlap with Other APT Groups

  • TaxOff/Team 46: Positive Technologies linked the same exploit to deploying Trinper backdoor
  • Dante APT: LeetAgent is connected to Dante, a spyware with advanced evasion techniques:
    • Control Flow Obfuscation
    • Anti-Debugging Checks
    • Encrypted Strings
    • Windows Event Log Monitoring to detect analysis tools

Evidence of Shared Infrastructure

  • Identical COM-hijacking persistence methods
  • Shared code between exploit/loader and Dante
  • Similar file-system paths and data hiding techniques

Response and Implications

Memento Labs’ Response

  • Customer Accountability: Confirmed one government customer used an outdated version of Dante (Windows)
  • Current Focus: Developing mobile-only tools; advised customers to discontinue using Windows malware

Broader Implications

  • Surveillance Tech Misuse: Highlights how tools marketed for law enforcement are repurposed for espionage
  • Need for Patching: Emphasizes the importance of timely updates to mitigate zero-day risks
  • Attribution Challenges: Overlaps in tradecraft suggest possible collaboration or shared resources between groups

Recommendations (for Cybersecurity Practitioners)

  • Update Software: Apply patches promptly for browsers and operating systems
  • Monitor for Phishing: Train users to recognize spear-phishing attempts (e.g., personalized links)
  • Inspect Font Files: Check for anomalies in font files, which may hide malicious data
  • Limit Privileges: Restrict execution rights to minimize the impact of potential exploits
  • Audit Third-Party Tools: Ensure surveillance or security software from vendors like Memento Labs is up-to-date and used only for authorized purposes

References

Continue reading

Next article

AI Agents in Software Development: Balancing Productivity, Trust, and Quality

Related Content

Oct 31, 2025

Nation-State Hackers Deploy Airstalk Malware in Supply Chain Attack Targeting Enterprise Browsers

Airstalk malware exploits AirWatch APIs for covert C2 communication, targeting enterprise browsers in a suspected supply chain attack linked to a nation-state actor.

Read article
Nov 7, 2025

Samsung Zero-Day Flaw Exploited to Deploy LANDFALL Android Spyware in Middle East

A critical Samsung Galaxy vulnerability (CVE-2025-21042) was exploited as a zero-day to deploy the LANDFALL spyware via WhatsApp images, targeting users in the Middle East before a patch in April 2025.

Read article
Nov 1, 2025

Konni Hackers Exploit Google Find Hub for Remote Data-Wiping and Multi-Group Cyber Threats

North Korea-linked Konni hackers weaponize Google's Find Hub for remote device wiping, while Lazarus and Kimsuky groups deploy advanced malware in targeted campaigns.

Read article