Kaspersky has identified and helped patch a sophisticated zero-day vulnerability in Google Chrome that allowed attackers to bypass the browser’s sandbox protection system.
The exploit, discovered by Kaspersky’s Global Research and Analysis Team (GReAT), required no user interaction beyond clicking a malicious link and demonstrated exceptional technical complexity.
Kaspersky researchers have been acknowledged by Google for discovering and reporting this vulnerability.
In mid-March 2025, Kaspersky detected a wave of infections triggered when users clicked personalised phishing links delivered via email. After clicking, no additional action was needed to compromise their systems.
Once Kaspersky’s analysis confirmed that the exploit leveraged a previously unknown vulnerability in the latest version of Google Chrome, Kaspersky swiftly alerted Google’s security team. A security patch for the vulnerability was released on 25 March 2025.
Kaspersky researchers dubbed the campaign “Operation ForumTroll”, as attackers sent personalised phishing emails inviting recipients to the “Primakov Readings” forum. These lures targeted media outlets, educational institutions, and government organisations in Russia. The malicious links were extremely short-lived to evade detection, and in most cases ultimately redirected to the legitimate website for “Primakov Readings” once the exploit was taken down.
The zero-day vulnerability in Chrome was only part of a chain that included at least two exploits: a still-unobtained remote code execution (RCE) exploit that apparently launched the attack, while the sandbox escape discovered by Kaspersky constituted the second stage. Analysis of the malware’s functionality suggests the operation was designed primarily for espionage. All evidence points to an Advanced Persistent Threat (APT) group.
“This vulnerability stands out among the dozens of zero-days we’ve discovered over the years,” says Boris Larin, principal security researcher at Kaspersky GReAT. “The exploit bypassed Chrome’s sandbox protection without performing any obviously malicious operations – it’s as if the security boundary simply didn’t exist.
“The technical sophistication displayed here indicates development by highly skilled actors with substantial resources. We strongly advise all users to update their Google Chrome and any Chromium-based browser to the latest version to protect against this vulnerability.”