{ "id": "09cb1b50-e594-4936-8c29-4b610eb68116", "created_at": "2026-04-06T00:16:04.394305Z", "updated_at": "2026-04-10T13:11:34.645981Z", "deleted_at": null, "sha1_hash": "3d93cbbcdf97ec223d5c791ed4c7f0fb0ee26f1e", "title": "Operation ForumTroll: APT attack with Google Chrome zero-day exploit chain", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 421594, "plain_text": "Operation ForumTroll: APT attack with Google Chrome zero-day\r\nexploit chain\r\nBy Igor Kuznetsov\r\nPublished: 2025-03-25 · Archived: 2026-04-05 13:26:19 UTC\r\nAPT reports\r\nAPT reports\r\n25 Mar 2025\r\n 2 minute read\r\nhttps://securelist.com/operation-forumtroll/115989/\r\nPage 1 of 5\n\nIn mid-March 2025, Kaspersky technologies detected a wave of infections by previously unknown and highly\r\nsophisticated malware. In all cases, infection occurred immediately after the victim clicked on a link in a phishing\r\nemail, and the attackers’ website was opened using the Google Chrome web browser. No further action was\r\nrequired to become infected.\r\nAll malicious links were personalized and had a very short lifespan. However, Kaspersky’s exploit detection and\r\nprotection technologies successfully identified the zero-day exploit that was used to escape Google Chrome’s\r\nsandbox. We quickly analyzed the exploit code, reverse-engineered its logic, and confirmed that it was based on a\r\nzero-day vulnerability affecting the latest version of Google Chrome. We then reported the vulnerability to the\r\nGoogle security team. Our detailed report enabled the developers to quickly address the issue, and on March 25,\r\n2025, Google released an update fixing the vulnerability and thanked us for discovering this attack.\r\nAcknowledgement for finding CVE-2025-2783 (excerpt from security fixes included into Chrome\r\n134.0.6998.177/.178)\r\nWe have discovered and reported dozens of zero-day exploits actively used in attacks, but this particular exploit is\r\ncertainly one of the most interesting we’ve encountered. The vulnerability CVE-2025-2783 really left us\r\nscratching our heads, as, without doing anything obviously malicious or forbidden, it allowed the attackers to\r\nbypass Google Chrome’s sandbox protection as if it didn’t even exist. The cause of this was a logical error at the\r\nintersection of Google Chrome’s sandbox and the Windows operating system. We plan to publish the technical\r\ndetails of this vulnerability once the majority of users have installed the updated version of the browser that fixes\r\nit.\r\nhttps://securelist.com/operation-forumtroll/115989/\r\nPage 2 of 5\n\nOur research is still ongoing, but judging by the functionality of the sophisticated malware used in the attack, it\r\nseems the attackers’ goal was espionage. The malicious emails contained invitations allegedly from the organizers\r\nof a scientific and expert forum, “Primakov Readings”, targeting media outlets, educational institutions and\r\ngovernment organizations in Russia. Based on the content of the emails, we dubbed the campaign Operation\r\nForumTroll.\r\nExample of a malicious email used in this campaign (translated from Russian)\r\nAt the time of writing, there’s no exploit active at the malicious link – it just redirects visitors to the official\r\nwebsite of “Primakov Readings”. However, we strongly advise against clicking on any potentially malicious links.\r\nThe exploit we discovered was designed to run in conjunction with an additional exploit that enables remote code\r\nexecution. Unfortunately, we were unable to obtain this second exploit, as in this particular case it would have\r\nrequired waiting for a new wave of attacks and exposing users to the risk of infection. Fortunately, patching the\r\nvulnerability used to escape the sandbox effectively blocks the entire attack chain.\r\nAll the attack artifacts analyzed so far indicate high sophistication of the attackers, allowing us to confidently\r\nconclude that a state-sponsored APT group is behind this attack.\r\nWe plan to publish a detailed report with technical details about the zero-day exploit, the sophisticated malware,\r\nand the attackers’ techniques.\r\nKaspersky products detect the exploits and malware used in this attack with the following verdicts:\r\nExploit.Win32.Generic\r\nTrojan.Win64.Agent\r\nTrojan.Win64.Convagent.gen\r\nPDM:Exploit.Win32.Generic\r\nPDM:Trojan.Win32.Generic\r\nhttps://securelist.com/operation-forumtroll/115989/\r\nPage 3 of 5\n\nUDS:DangerousObject.Multi.Generic\r\nIndicators of Compromise\r\nprimakovreadings[.]info\r\nLatest Posts\r\nLatest Webinars\r\nReports\r\nKaspersky researchers analyze updated CoolClient backdoor and new tools and scripts used in HoneyMyte (aka\r\nMustang Panda or Bronze President) APT campaigns, including three variants of a browser data stealer.\r\nKaspersky discloses a 2025 HoneyMyte (aka Mustang Panda or Bronze President) APT campaign, which uses a\r\nkernel-mode rootkit to deliver and protect a ToneShell backdoor.\r\nKaspersky GReAT experts analyze the Evasive Panda APT’s infection chain, including shellcode encrypted with\r\nDPAPI and RC5, as well as the MgBot implant.\r\nhttps://securelist.com/operation-forumtroll/115989/\r\nPage 4 of 5\n\nKaspersky expert describes new malicious tools employed by the Cloud Atlas APT, including implants of their\r\nsignature backdoors VBShower, VBCloud, PowerShower, and CloudAtlas.\r\nSource: https://securelist.com/operation-forumtroll/115989/\r\nhttps://securelist.com/operation-forumtroll/115989/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "origins": [ "web" ], "references": [ "https://securelist.com/operation-forumtroll/115989/" ], "report_names": [ "115989" ], "threat_actors": [ { "id": "aee1b97f-7d09-4a36-aba9-c65589d9eab0", "created_at": "2025-05-29T02:00:03.201432Z", "updated_at": "2026-04-10T02:00:03.857667Z", "deleted_at": null, "main_name": "Operation ForumTroll", "aliases": [], "source_name": "MISPGALAXY:Operation ForumTroll", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "77b28afd-8187-4917-a453-1d5a279cb5e4", "created_at": "2022-10-25T15:50:23.768278Z", "updated_at": "2026-04-10T02:00:05.266635Z", "deleted_at": null, "main_name": "Inception", "aliases": [ "Inception Framework", "Cloud Atlas" ], "source_name": "MITRE:Inception", "tools": [ "PowerShower", "VBShower", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "04a7ebaa-ebb1-4971-b513-a0c86886d932", "created_at": "2023-01-06T13:46:38.784965Z", "updated_at": "2026-04-10T02:00:03.099088Z", "deleted_at": null, "main_name": "Inception Framework", "aliases": [ "Clean Ursa", "Cloud Atlas", "G0100", "ATK116", "Blue Odin" ], "source_name": "MISPGALAXY:Inception Framework", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f35997d9-ca1e-453f-b968-0e675cc16d97", "created_at": "2023-01-06T13:46:39.490819Z", "updated_at": "2026-04-10T02:00:03.345364Z", "deleted_at": null, "main_name": "Evasive Panda", "aliases": [ "BRONZE HIGHLAND" ], "source_name": "MISPGALAXY:Evasive Panda", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "05cb998c-6e81-47f0-9806-ee4fda72fe0a", "created_at": "2024-11-01T02:00:52.763555Z", "updated_at": "2026-04-10T02:00:05.263997Z", "deleted_at": null, "main_name": "Daggerfly", "aliases": [ "Daggerfly", "Evasive Panda", "BRONZE HIGHLAND" ], "source_name": "MITRE:Daggerfly", "tools": [ "PlugX", "MgBot", "BITSAdmin", "MacMa", "Nightdoor" ], "source_id": "MITRE", "reports": null }, { "id": "812f36f8-e82b-41b6-b9ec-0d23ab0ad6b7", "created_at": "2023-01-06T13:46:39.413725Z", "updated_at": "2026-04-10T02:00:03.31882Z", "deleted_at": null, "main_name": "BRONZE HIGHLAND", "aliases": [ "Evasive Panda", "Daggerfly" ], "source_name": "MISPGALAXY:BRONZE HIGHLAND", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "19ac84cc-bb2d-4e0c-ace0-5a7659d89ac7", "created_at": "2022-10-25T16:07:23.422755Z", "updated_at": "2026-04-10T02:00:04.592069Z", "deleted_at": null, "main_name": "Bronze Highland", "aliases": [ "Daggerfly", "Digging Taurus", "Evasive Panda", "Storm Cloud", "StormBamboo", "TAG-102", "TAG-112" ], "source_name": "ETDA:Bronze Highland", "tools": [ "Agentemis", "CDDS", "CloudScout", "Cobalt Strike", "CobaltStrike", "DazzleSpy", "KsRemote", "LOLBAS", "LOLBins", "Living off the Land", "MacMa", "Macma", "MgBot", "Mgmbot", "NetMM", "Nightdoor", "OSX.CDDS", "POCOSTICK", "RELOADEXT", "Suzafk", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "4f7d2815-7504-4818-bf8d-bba18161b111", "created_at": "2025-08-07T02:03:24.613342Z", "updated_at": "2026-04-10T02:00:03.732192Z", "deleted_at": null, "main_name": "BRONZE HIGHLAND", "aliases": [ "Daggerfly", "Daggerfly ", "Evasive Panda ", "Evasive Panda ", "Storm Bamboo " ], "source_name": "Secureworks:BRONZE HIGHLAND", "tools": [ "Cobalt Strike", "KsRemote", "Macma", "MgBot", "Nightdoor", "PlugX" ], "source_id": "Secureworks", "reports": null }, { "id": "02c9f3f6-5d10-456b-9e63-750286048149", "created_at": "2022-10-25T16:07:23.722884Z", "updated_at": "2026-04-10T02:00:04.72726Z", "deleted_at": null, "main_name": "Inception Framework", "aliases": [ "ATK 116", "Blue Odin", "Clean Ursa", "Cloud Atlas", "G0100", "Inception Framework", "Operation Cloud Atlas", "Operation RedOctober", "The Rocra" ], "source_name": "ETDA:Inception Framework", "tools": [ "Lastacloud", "PowerShower", "VBShower" ], "source_id": "ETDA", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434564, "ts_updated_at": 1775826694, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3d93cbbcdf97ec223d5c791ed4c7f0fb0ee26f1e.pdf", "text": "https://archive.orkl.eu/3d93cbbcdf97ec223d5c791ed4c7f0fb0ee26f1e.txt", "img": "https://archive.orkl.eu/3d93cbbcdf97ec223d5c791ed4c7f0fb0ee26f1e.jpg" } }