Google has issued emergency fixes to address a severe security vulnerability in its Chrome browser for Windows, which the company has confirmed is being actively exploited in attacks targeting organizations in Russia.
The vulnerability, identified as CVE-2025-2783, is described as an instance of “incorrect handle provided in unspecified circumstances in Mojo on Windows.” Mojo is a set of runtime libraries that facilitate inter-process communication (IPC) across different platforms.
As is standard practice, Google has not disclosed further technical details about the nature of the attacks, the identities of the threat actors involved, or the specific targets. The vulnerability has been patched in Chrome version 134.0.6998.177/.178 for Windows.
Google has acknowledged that it is aware of reports indicating the existence of an exploit for CVE-2025-2783 in the wild.
It is noteworthy that CVE-2025-2783 is the first actively exploited Chrome zero-day vulnerability reported this year. The vulnerability was discovered and reported by Kaspersky researchers Boris Larin and Igor Kuznetsov on March 20, 2025.
Kaspersky has characterized the zero-day exploitation of CVE-2025-2783 as a technically sophisticated targeted attack, suggesting the involvement of an advanced persistent threat (APT) group. The company is tracking this activity under the name Operation ForumTroll.
According to the researchers, “in all cases, infection occurred immediately after the victim clicked on a link in a phishing email, and the attackers’ website was opened using the Google Chrome web browser. No further action was required to become infected.”
The vulnerability essentially stems from a logical error at the intersection of Chrome and the Windows operating system, allowing attackers to bypass the browser’s sandbox protection.
The phishing emails, which were highly personalized and targeted, had the ultimate goal of espionage. The malicious emails purportedly contained invitations from the organizers of a legitimate scientific and expert forum, Primakov Readings.
The phishing campaign primarily targeted media outlets, educational institutions, and government organizations in Russia. Furthermore, CVE-2025-2783 is designed to be used in conjunction with an additional exploit that enables remote code execution. However, Kaspersky was unable to obtain the second exploit.
Based on the analysis of attack artifacts, Kaspersky concluded that the attackers exhibited a high level of sophistication, indicating that a state-sponsored APT group is likely behind this attack.
