Zero-Day Alert: Google Releases Chrome Patch for Exploit Used in Russian Espionage Attacks
Google has issued an emergency security update to patch a critical zero-day vulnerability in Chrome that has been actively exploited in the wild. The flaw, tracked as CVE-2025-2783 (CVSS score: 8.3), has been linked to cyber espionage activities conducted by Russian state-sponsored threat actors.
Zero-Day Exploit Details The vulnerability resides in the browser’s JavaScript engine, V8, and allows for remote code execution (RCE). Threat actors exploiting this flaw can gain control over affected systems, deploy malware, and conduct surveillance operations. Google confirmed that the exploit has been used in targeted attacks against high-profile individuals and government entities.
It’s worth noting that CVE-2025-2783 is the first actively exploited Chrome zero-day since the start of the year. Kaspersky researchers Boris Larin and Igor Kuznetsov have been credited with discovering and reporting the shortcoming on March 20, 2025.
Espionage Campaign Attribution Cyber security researchers have attributed this exploit’s usage to a Russian advanced persistent threat (APT) group, known for conducting cyber espionage operations against Western organisations. The campaign, which has been ongoing for several weeks, has primarily targeted government agencies, media outlets, and critical infrastructure providers.
Google’s Response and Mitigation Google acted swiftly upon discovering the exploit, rolling out an urgent update for Chrome across Windows, macOS, and Linux platforms. Users are strongly advised to update their browsers immediately to mitigate the risk of exploitation.
How to Update Chrome:
Open Chrome.
Click on the three-dot menu in the top right corner.
Navigate to Help > About Google Chrome.
Chrome will automatically check for updates and install the latest version.
Enabling automatic updates to receive security patches promptly.
Using endpoint protection solutions to detect and block malicious activity.
Implementing threat intelligence feeds to stay informed about emerging threats.
Avoiding clicking on suspicious links or downloading unknown files.
Ongoing Threat Monitoring While Google has patched this specific vulnerability, Russian state-sponsored actors continue to adapt their tactics. Organisations should remain vigilant and apply cyber security best practices to defend against evolving threats.
For real-time updates on cyber security threats and mitigation strategies, stay connected with threat intelligence platforms and security advisories.
Cyber security is facing a growing challenge: malware powered by artificial intelligence and polymorphism. These threats use AI tools to create code and change their appearance to slip past traditional antivirus, moving from small experiments to a major problem.
AI-Generated Malware AI tools like ChatGPT and DeepSeek, originally built to help with tasks, can be tricked into making malware. Attackers use clever instructions, called prompts, to get around safety limits, asking the AI to “pretend” it’s a hacker or write code for a “test”. This tricks the AI into producing harmful programmes by guessing what comes next in a sequence, based on its huge library of examples. For instance, SentinelOne showed ChatGPT creating a keylogger, a programme that secretly records what you type, sent through OpenAI’s online service and run instantly on a computer. DeepSeek R1, when pushed with similar tricks, makes rough versions of ransomware, software that locks files, and keyloggers that hide their tracks, needing only small fixes to work. GhostGPT, a hacked version of ChatGPT sold on Telegram, churns out phishing emails and attack tools fast. With AI learning to tweak itself based on where it’s running, it stays ahead of old-school detection.
Polymorphic Malware Polymorphic malware changes its look every time it spreads, making it tough for antivirus to spot with a fixed “fingerprint”. It does this with a special tool, a mutation engine, that scrambles its code by adding useless bits, swapping parts around, or rewriting commands in different ways. Adrozek spread across 15,300 web addresses, changing itself to mess with browsers and steal info. VirLock used shared apps and cloud storage to lock files for ransom, hiding its true form. SquareX’s Chrome extensions start harmless, like an AI helper, then shift to copy trusted tools (e.g., crypto wallets), turning off the real ones to grab data. This tricks browsers because they trust the extension at first, but don’t catch the sneaky changes later. AI makes this scrambling automatic, creating fresh versions every time.
The Perfect Storm: AI Meets Polymorphism When AI teams up with polymorphism, it’s a double whammy. BlackMamba shows how, a harmless-looking programme contacts OpenAI’s service during an attack, pulling down a new keylogger that runs straight in the computer’s memory, never touching the hard drive where antivirus looks. It scrambles itself each time, mixing up code pieces or re-locking its secrets, to stay unique. Attackers can hide control instructions, known as ‘invisible C2’ in everyday web traffic, like normal chats with OpenAI’s service at api.openai.com, so nothing seems off. Sources note that they might slip secret messages into AI-written emails, perhaps using the first letter of each word for the malware to read, keeping the real orders out of sight. Some even let the malware decide its next move on its own, cutting out the need for a control server entirely. SquareX’s extensions add to this, changing on the fly to dodge detection. This mix of AI creation and constant shape-shifting pushes regular defences to the edge, needing smarter ways to catch it.
Real-World Scenarios
BlackMamba: In 2023, HYAS Labs used ChatGPT to make keyloggers that change each time, pulled from OpenAI’s service and run in memory to steal info without leaving traces on disk. SentinelOne stopped it by watching its behaviour.
Adrozek: Since May 2020, it hit 30,000 devices daily at its peak, using 15,300 web links to shift its code, tweak browsers, and nab credentials, sticking around via system changes.
SquareX’s Polymorphic Impersonators: March 2025 research found Chrome extensions pretending to be safe tools, then copying crypto wallets or password managers to steal data, exploiting browser weaknesses.
GhostGPT: Launched January 2025, this hacked ChatGPT, sold on Telegram, pumps out malware, phishing emails, and attack tools, easy for anyone to use with no trace left behind.
DeepSeek R1: March 2025 tests tricked this AI into making keyloggers and ransomware, rough drafts that hide logs or lock files, fixable with small edits.
Cerber: Starting 2016, this “ransomware-for-hire” changed its code per attack, sold online, and used tricks to avoid test environments, locking files for cash.
Fighting Back: Mitigation That Works
AI-Powered Defence: Tools like Microsoft Defender watch for odd behaviour from GhostGPT, DeepSeek R1, or BlackMamba, catching what fixed patterns miss.
Sandbox AI Code: Test AI-made programmes in a safe space to spot trouble before it runs loose.
Staff Training: Teach teams to spot AI-written phishing, it looks too good to be true.
Behaviour-Based Detection: Track what programmes do live to catch hidden instructions in normal traffic.
System Patching: Keep software updated to block weak spots these threats use.
Extension Audits: Check browser add-ons as they run, SquareX’s tricks slip past basic approval.
Conclusion AI-generated and polymorphic malware aren’t just here, they’re speeding up, hitting browsers, emails, and anything they can sneak into. Every day they change, they test our defences, and the gaps are showing…. think locked files, stolen data, or systems turned inside out. Waiting around isn’t an option; we need sharpen our tools and move fast to stay ahead. Tomorrow’s fight starts today.
Phishing remains a prevalent and dangerous tactic employed by malicious actors. Recently, a sophisticated phishing campaign targeting Meta Business accounts has emerged, exploiting the urgency and trust associated with social media platforms.
Nature of the attack The phishing campaign begins with an email masquerading as a critical alert from Meta, claiming that the recipient’s ads have been temporarily suspended due to violations of advertising policies or GDPR regulations. The email, designed to evoke a sense of urgency, prompts the user to click on a link to resolve the issue. This link redirects to a fraudulent page that closely mimics Meta’s official business support site.
Once on the fake landing page, victims are guided through a series of steps involving a deceptive chatbot or a supposed setup guide. The chatbot, appearing helpful, requests sensitive information such as business name, screenshots of Facebook Business settings, contact number, and personal profile information. The goal of the attacker is to hijack the victim’s Meta Business account by registering themselves as a secure login via the Authenticator App feature.
Risk The risks associated with this phishing campaign are multifaceted and severe. Firstly, the attacker gains control over the victim’s Meta Business account, allowing them to bypass email recovery, lock the real user out, and run ads from the compromised account. This can lead to significant financial losses, reputational damage, and the dissemination of scams or malicious content to the victim’s audience.
Moreover, the attacker can steal valuable audience data, which can be used for further malicious activities or sold on the dark web. The inclusion of live agent support in the phishing scheme adds an additional layer of deception, making it difficult for users to discern the legitimacy of the communication. This sophisticated approach underscores the importance of vigilance and scepticism when dealing with unsolicited communications.
Conclusion The emergence of this phishing campaign targeting Meta Business accounts highlights the evolving tactics of cyber criminals and the need for robust cyber security measures. Users must remain vigilant and verify the authenticity of emails and websites before providing any sensitive information. Employing multi-factor authentication, regularly updating passwords, and educating employees about phishing threats are crucial steps in mitigating the risk of such attacks.
The Human Risk Management module from Norm can educate users on how to spot a likely malicious link. With this education, not only would users be more aware of the tactics used by attackers but also the content will enable them to exercise caution when clicking on suspicious links. It is also recommended to take a minute to assess a link before clicking and never give any remote access to your device.