EXECUTIVE SUMMARY:
A targeted espionage campaign operated by ForumTroll delivered highly tailored phishing messages that redirected recipients to short-lived malicious webpages. Simply visiting these pages with a Chromium-based browser was sufficient to trigger exploitation of CVE-2025-2783, enabling silent compromise without further user interaction. The operation used topical lures aimed at organizations in the research, media, and government space and was engineered to avoid detection through ephemeral infrastructure.
The intrusion chain began with personalized phishing links that pointed to transient sites hosting a browser sandbox escape. A previously unknown Chromium vulnerability was weaponized to break out of the browser process, allowing a staged payload to be fetched and executed. The attackers deployed a multi-stage persistent loader that used defensive-evasion techniques to maintain access. Analysis of recovered samples links a modular spyware family with capabilities for data collection, remote control and covert telemetry and shows use of specialized components for lateral movement and secure command-and-control communication. Indicators recovered from the campaign include exploit artifacts, loader signatures and C2 patterns that can be used to hunt for compromises.
Organizations should treat this campaign as a high-risk targeted espionage operation: immediately ensure Chromium-based browsers are updated to include the fix for the sandbox escape, block and analyse suspicious short-lived URLs, harden endpoint defenses, and increase phishing-resistance through user training and stronger email filtering. Additionally, hunt for indicators of staged loaders and anomalous outbound connections from high-risk user accounts and systems that match the described behaviors.
THREAT PROFILE:
| Tactic | Technique Id | Technique | Sub-technique |
| Initial Access | T1566.002 | Phishing | Spearphishing Link |
| T1189 | Drive-by Compromise | - | |
| Execution | T1203 | Exploitation for Client Execution | - |
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys / Startup Folder |
| Defense Evasion | T1027.002 | Obfuscated Files or Information | Software Packing |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | - |
REFERENCES:
The following reports contain further technical details: