Google has released a critical security patch for its Chrome browser after Kaspersky discovered a serious zero-day security vulnerability.
The vulnerability, cataloged as CVE-2025-2783, allowed attackers to bypass the browser’s sandbox protection measures and compromised the systems of affected users without further user interaction.
Phishing campaign “Operation ForumTroll”
In mid-March 2025, security experts from Kaspersky discovered a series of infections triggered by phishing emails. The security researchers were able to trace the incidents back to a zero-day vulnerability that was activated as soon as the victims clicked on a compromised website using a Chrome browser. The targeted wave of attacks lured victims via personalized phishing emails with a supposed invitation to the “Primakov Readings” forum. After clicking on the included link, no further user interaction was required – the systems were completely compromised.
The campaign, dubbed “Operation ForumTroll”, primarily targeted media companies, educational institutions and government organizations in Russia. To make detection more difficult, the malicious links were only active for a short time and redirected victims to the legitimate “Primakov Reading” website after the exploit had been executed.
Complex exploit chain
The vulnerability CVE-2025-2783 discovered by Kaspersky was only one part of a multi-stage attack chain:
- A previously unknown Remote Code Execution (RCE) vulnerability in Chrome initiated the attack
- The identified sandbox outbreak enabled the further execution of malicious code outside the protected environment
“This vulnerability stands out from the numerous zero-day vulnerabilities we have discovered over the years,” explains Boris Larin, senior security expert at Kaspersky GReAT. “The exploit bypassed Chrome’s sandbox protection without performing any obviously malicious actions – it was as if this security barrier simply didn’t exist.”
The technical sophistication of the exploit points to highly skilled actors with significant resources – typical characteristics of an Advanced Persistent Threat (APT) group. After analyzing the malware functionality, the researchers assume that the operation was primarily intended for espionage purposes.
Quick response from Google
After confirming the previously unknown vulnerability, Kaspersky immediately informed Google’s security team. On March 25, 2025, the browser manufacturer released a security patch that closes the gap.
Kaspersky is continuing its investigation into Operation ForumTroll and plans to publish a detailed technical analysis of the exploits and the malware used as soon as Chrome users’ security is ensured through sufficient patch distribution.
Protective measures
The researchers urgently recommend that all users update Google Chrome and all Chromium-based browsers to the latest version. The security experts also advise:
- Update operating system and software regularly
- Implement a multi-layered security solution with AI/ML technologies
- SOC teams should always have access to the latest threat intelligence information