Google has released an emergency fix for a critical-severity vulnerability affecting its Chrome browser on Windows. The vulnerability, tracked as CVE-2025-2783, has been described as "incorrect handle provided in unspecified circumstances in Mojo on Windows." This flaw has been widely exploited in attacks against Civil Society organizations in Russia, under the name of Operation ForumTroll.
Phishing emails tempt victims with offers from the real forum, Primakov Readings. These emails meticulously hone in on media outlets, educational institutions, and government organizations by taking advantage of this flaw. Kaspersky researchers Boris Larin and Igor Kuznetsov found and disclosed this advanced attack on March 20, 2025.
Details of the Exploit
The CVE-2025-2783 vulnerability used is a technically sophisticated targeted attack, an advanced persistent threat (APT) signature. There’s a logic error at the intersection between Chrome and the underlying Windows operating system. This vulnerability allows adversaries to escape the security of the browser’s sandbox.
"In all cases, infection occurred immediately after the victim clicked on a link in a phishing email, and the attackers' website was opened using the Google Chrome web browser," said Boris Larin and Igor Kuznetsov.
"No further action was required to become infected," they added.
The second exploitable attack vector is intended to be used alongside a second exploit which allows for remote code execution. More importantly, it shows how far the attackers have come in terms of sophistication.
Google's Response
In light of this urgent threat, Google has already pushed out of band fixes to remedy the exploitation vector. The patches are included in Chrome version 134.0.6998.177/.178 for Windows users. Google has confirmed that an exploit for CVE-2025-2783 is in the wild and actively used.
All users of Chromium-based browsers need to act now! If you use Microsoft Edge, Brave, Opera or Vivaldi, take the fixes as soon as they arrive. This preemptive step is intended to avoid any additional abuse of the vulnerability.
Indicators of a State-Sponsored Attack
This type of zero-day exploitation is indicative of a technically sophisticated targeted attack. It almost certainly entails the use of a state-sponsored APT group.
"All the attack artifacts analyzed so far indicate high sophistication of the attackers, allowing us to confidently conclude that a state-sponsored APT group is behind this attack," noted Boris Larin and Igor Kuznetsov.
Kaspersky’s research highlights the threat’s insidious complexity and the importance of us all staying alert and quickly updating our software as needed.