Google late Tuesday rushed out a patch for a sandbox escape in its flagship Chrome browser after researchers at Kaspersky caught a professional hacking operation launching drive-by download exploits.
The vulnerability, tracked as CVE-2025-2783, was chained with a second exploit for remote code execution in what appears to be a nation-state-sponsored cyberespionage campaign targeting organizations in Russia.
Kaspersky said it detected a series of infections triggered by phishing emails in the middle of March and traced the incidents to a zero-day that fired when victims simply clicked on a booby-trapped website from a Chrome browser.
The Russian anti-malware vendor said victims merely had to click on a personalized, short-lived link, and their systems were compromised when the malicious website was opened in Chrome.
Kaspersky said its exploit detection tools picked up on the zero-day, and after reverse-engineering the code, the team reported the bug to Google and coordinated the fix released on Tuesday.
The cyberespionage campaign, dubbed Operation ForumTroll, targets Russian organizations, including media outlets, educational institutions, and government agencies.
According to Kaspersky’s documentation, the email phishing lures were disguised as invitations from a scientific forum called “Primakov Readings” and were designed to trick victims into downloading additional malicious code.
While the initial exploit was designed to escape Chrome’s sandbox, it was also intended to work with another exploit that enables remote code execution. Kaspersky said it was unable to obtain the second exploit, but patching the zero-day effectively disrupted the entire attack chain.
“We have discovered and reported dozens of zero-day exploits actively used in attacks, but this particular exploit is certainly one of the most interesting we’ve encountered,” Kaspersky said. “The vulnerability CVE-2025-2783 really left us scratching our heads, as, without doing anything obviously malicious or forbidden, it allowed the attackers to bypass Google Chrome’s sandbox protection as if it didn’t even exist.”
The Kaspersky researchers said the cause was “a logical error at the intersection of Google Chrome’s sandbox and the Windows operating system.”
The company said it is delaying the publication of technical details of the bug until the majority of Chrome users have applied the latest patch.
“All the attack artifacts analyzed so far indicate high sophistication of the attackers, allowing us to confidently conclude that a state-sponsored APT group is behind this attack,” the company said.
Related: Kaspersky Banned on Australian Government Systems
Related: Cyberespionage APT ‘CloudSorcerer’ Targeting Russian Government
Related: Apple Patches iOS Flaws Used in Kaspersky ‘Operation Triangulation’
Related: Kaspersky Analyzes Links Between Russian State-Sponsored APTs
