Today’s Topics:
- Chrome Zero-Day Exploited Through Spyware Built by Hacking Team Successor
- Persistent Hidden Commands Found in ChatGPT Atlas Browser Memory
- How can Netizen help?
Chrome Zero-Day Exploited Through Spyware Built by Hacking Team Successor
A zero-day vulnerability in Google Chrome has been tied to a spyware operation run by Memento Labs, the rebranded successor of the notorious Hacking Team. The flaw, identified as CVE-2025-2783, was discovered by Kaspersky researchers earlier this year and used in a campaign known as Operation ForumTroll. The attackers targeted both government and private sector organizations in Russia and Belarus, deploying a spyware tool called Dante.
After the 2015 breach that exposed Hacking Team’s internal files and source code, many believed the company was finished. In 2019, it was acquired by IntheCyber Group and relaunched under a new name: Memento Labs. By 2023, the company unveiled Dante, a new surveillance platform that analysts now say is a direct evolution of the old Remote Control Systems (RCS) spyware.
Kaspersky’s report revealed that despite claims of a clean restart, Dante contains striking similarities to Hacking Team’s earlier work. This finding highlights how the commercial spyware industry has persisted through name changes and acquisitions, continuing to supply tools for government-linked surveillance.
The attacks began through targeted phishing messages containing short-lived links. Once clicked, they delivered a Chrome exploit that used an unusual quirk in Windows to bypass browser sandboxing. Boris Larin, principal security researcher at Kaspersky, explained that the vulnerability involved how Windows handles pseudo handles, or constant values representing objects inside privileged processes.
By exploiting this flaw, attackers managed to disable Chrome’s sandbox protections and execute malicious code without triggering alarms. Larin described the exploit as one of the most unusual sandbox escapes Kaspersky has ever encountered, warning that the same logic flaw might exist in other Windows services or applications. He also called the DuplicateHandle API a dangerous function that should reject pseudo handles altogether to prevent privilege escalation.
The spyware behind the campaign, Dante, was heavily protected by VMProtect, an obfuscation tool that makes reverse engineering difficult. Every string within the code was encrypted, though once decrypted, researchers found unmistakable indicators that tied the program to Memento Labs.
According to Kaspersky, the spyware was not directly observed in Operation ForumTroll but was linked to other attacks involving the same infrastructure and coding patterns. These overlaps suggest that Memento’s spyware ecosystem has been active since at least 2022, operating quietly through multiple campaigns.
The case demonstrates how commercial spyware vendors continue to drive zero-day exploitation across widely used platforms such as Chrome and iOS. Companies like Memento Labs operate under the guise of providing lawful surveillance tools, yet their products often end up in politically motivated campaigns that target journalists, activists, and foreign government entities.
Public exposure and company rebranding have done little to slow this market. Despite the downfall of Hacking Team a decade ago, its descendants continue to build and sell advanced intrusion frameworks. Each reappearance underscores the difficulty of dismantling the commercial spyware ecosystem, which thrives on the global demand for offensive cyber capabilities.
Persistent Hidden Commands Found in ChatGPT Atlas Browser Memory
Security researchers have disclosed a vulnerability in OpenAI’s ChatGPT Atlas browser that can let attackers inject persistent, hidden instructions into the assistant’s memory and trigger arbitrary code execution. LayerX Security reported the flaw after demonstrating how a cross-site request forgery exploit can write attacker-supplied instructions into ChatGPT memory. Those instructions can survive across devices and sessions and execute when a user later interacts with the assistant.
LayerX co-founder and CEO Or Eshed described the threat as capable of infecting systems with malicious code, elevating attacker privileges, or deploying malware. Michelle Levy, head of security research at LayerX, said their tests showed that once memory was tainted, normal user prompts sometimes triggered code fetches, privilege escalations, or data exfiltration without obvious safeguards activating.
The problem hinges on two features. First, memory, introduced by OpenAI in February 2024, is meant to persist helpful user details between chats so responses feel more personalized. Second, the Atlas browser’s current defenses against phishing and web-based attacks appear weaker than those of established browsers, which makes it easier for an authenticated user to be tricked into a harmful action. LayerX’s testing against more than 100 real-world web threats found that Edge blocked 53 percent, Chrome blocked 47 percent, and Dia blocked 46 percent. In comparison, Perplexit’s Comet and ChatGPT Atlas blocked only 7 percent and 5.8 percent respectively.
The attack scenario LayerX demonstrated follows a simple chain. A logged-in user is socially engineered into visiting a malicious page. That page issues a CSRF call that writes hidden instructions into ChatGPT’s persistent memory. Later, when the user asks ChatGPT to assist with a legitimate task, the assistant consults the tainted memory and may act on the hidden instructions. LayerX withheld some low-level details while sharing proof-of-concept behavior with reporters.
The implications extend beyond single sessions. Because the poisoned memory can travel with the user profile, any device where that profile is active may inherit the compromise. This creates opportunities for attackers to contaminate development workflows or automated tasks by slipping commands into code suggestions or prompt templates. NeuralTrust and others have already shown how prompt injection and malicious URLs can break an agent’s expected behavior; the Atlas memory flaw adds a lasting persistence vector.
Enterprises that rely on AI agents integrated into browser workflows should treat this class of issue as an operational risk. Developers and security teams can take several practical steps. Turn off persistent memory for high-risk accounts or for users who handle sensitive code and data. Limit ChatGPT access to segmented accounts that do not carry privileged credentials. Add monitoring for unexpected outbound code fetches and unusual command patterns originating from AI-assisted requests. Apply stricter phishing defenses, use browser isolation for AI browsing sessions, and require re-authentication for memory writes or other sensitive actions.
OpenAI and security vendors have both been notified of the findings. LayerX called out Atlas’s relative lack of anti-phishing protections as a major factor that increases exposure compared with mainstream browsers. Until browser vendors and AI platform operators add explicit controls to protect persistent memory, users should assume that any feature that stores instructions across sessions can be abused and should be treated with caution.
Security teams, product owners, and developers who integrate agentic browsers into workflows must evaluate how persistent memory is used and whether that usage can be hardened. Small configuration changes and stricter access controls can reduce immediate exposure, while longer term fixes will require design changes that separate stored user preferences from executable instructions and that prevent remote sources from silently modifying memory.
How Can Netizen Help?
Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally.
Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.
Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.
Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.
