Google has patched a security flaw in its Chrome browser for Windows that cybercriminals exploited to infiltrate victims’ computers.
The vulnerability, identified as CVE-2025-2783, was discovered by Kaspersky security researchers earlier this month.
The flaw allowed attackers to bypass Chrome’s security barriers and access users’ data. Google confirmed that hackers were actively using this exploit before the fix was released, making it a zero-day vulnerability—one that is exploited before the software vendor has a chance to address it.
Kaspersky linked the attack to a campaign they call “Operation ForumTroll”, where victims received phishing emails disguised as invitations to a Russian global political summit. Clicking the embedded link redirected them to a malicious site that immediately exploited the Chrome bug to gain unauthorised access to their data.
According to Kaspersky, the attack primarily targeted Russian media professionals and employees at educational institutions. The goal appeared to be espionage, with hackers potentially working under a state-sponsored operation.
The security firm has not identified the perpetrators but pointed to the level of sophistication seen in government-backed cyber operations.
Zero-day vulnerabilities in browsers like Chrome are highly valuable to cybercriminals and intelligence agencies. Exploits that allow remote access to devices can fetch millions on the underground market. Last year, one exploit broker was offering up to $3 million for similar security flaws.
Google’s Response and Security Patch
Google has now rolled out an update to Chrome version 134.0.6998.177/.178 for Windows, which will be released to users in the coming days. The fix was contributed by Boris Larin (@oct0xor) and Igor Kuznetsov (@2igosha) of Kaspersky, who first reported the issue on March 20, 2025.
The company is keeping full details of the vulnerability under wraps until the majority of users receive the update. In some cases, Google restricts information when a bug affects third-party software that has yet to be patched.
While Google has resolved the issue, users are still at risk if they have not updated their browsers. Cybercriminals actively exploited this flaw, and any delay in applying the patch could leave systems exposed.
Google has urged users to update Chrome as soon as possible, stating, “We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.”
For those still using outdated versions, the Extended Stable Channel has also been updated to 134.0.6998.178 to provide security fixes.
