Google patches critical Chrome zero-day exploited in journalist-targeting hack campaign

The company is aware of 'in-the-wild' exploits of the bug

Vulnerability, reported by cybersecurity firm Kaspersky earlier this month, allowed attackers to bypass Chrome's sandbox protections, effectively granting them access to victims' data.

Google has issued an urgent update for its Chrome browser on Windows, addressing a critical zero-day vulnerability (CVE-2025-2783) that was actively exploited in a targeted hacking campaign aimed at journalists and educational institution employees, primarily in Russia.

The vulnerability, discovered and reported by cybersecurity firm Kaspersky earlier this month, allowed attackers to bypass Chrome's sandbox protections, effectively granting them access to victims' computer data.

Google confirmed that they were aware of "in-the-wild" exploits of the bug.

The vulnerability impacted all browsers built on Google's Chromium engine, not just Chrome.

Google has initiated a phased rollout of the Chrome update, urging users to update their browsers as soon as the patch becomes available to mitigate the risk of compromise.

The updates will be distributed over the coming days and weeks.

According to Kaspersky, the campaign, dubbed Operation ForumTroll, appears to be part of a state-sponsored advanced persistent threat (APT) operation aimed at espionage, primarily targeting Russian media outlets and educational institutions.

The attack began with personalised phishing emails that lured victims by masquerading as invitations to the prestigious "Primakov Readings" scientific and expert forum.

Once recipients clicked the malicious link embedded in these emails, the attackers' website automatically opened in the Google Chrome browser.

"No further action was required" for the victim "to become infected," Kaspersky stated.

Upon analysing and reverse-engineering the exploit's logic, the researchers identified a zero-day vulnerability (CVE-2025-2783) in Google Chrome, which allowed the attackers to effortlessly escape Chrome's sandbox – an essential security mechanism designed to isolate browser processes and prevent malicious code from affecting the system.

"We have discovered and reported dozens of zero-day exploits actively used in attacks, but this particular exploit is certainly one of the most interesting we've encountered," the researchers said.

"The vulnerability CVE-2025-2783 really left us scratching our heads, as, without doing anything obviously malicious or forbidden, it allowed the attackers to bypass Google Chrome's sandbox protection as if it didn't even exist."

The researchers found that the vulnerability stemmed from a logical error at the intersection of Google Chrome's sandbox and the Windows operating system, enabling attackers to achieve privilege escalation with minimal effort.

Kaspersky reported its findings to Google's security team, allowing them to quickly address the vulnerability.

Within days, Google released a patch on 25^th March 2025, fixing the flaw and preventing further exploitation.

Kaspersky's ongoing investigation suggests that the ultimate objective of Operation ForumTroll was espionage. The malicious emails primarily targeted Russian media outlets and educational institutions, a pattern consistent with intelligence-gathering operations by nation-state actors.

"All the attack artifacts analyzed so far indicate high sophistication of the attackers, allowing us to confidently conclude that a state-sponsored APT group is behind this attack." Kaspersky reported.

Although the initial malicious link is no longer active and now redirects to the legitimate "Primakov Readings" website, Kaspersky has advised extreme caution when encountering suspicious emails or links.

While Kaspersky successfully identified and neutralised the zero-day Chrome sandbox exploit, the complete attack chain remains incomplete. Researchers noted that the exploit was designed to work alongside an additional, unidentified exploit enabling remote code execution (RCE). Unfortunately, Kaspersky was unable to obtain this second exploit, as doing so would have required exposing users to further waves of attacks.

Kaspersky plans to release the technical details of CVE-2025-2783 after the majority of users have updated to the patched version of Chrome.