Google has issued an emergency security update to patch a critical zero-day vulnerability in Chrome that has been actively exploited in the wild. The flaw, tracked as CVE-2025-2783 (CVSS score: 8.3), has been linked to cyber espionage activities conducted by Russian state-sponsored threat actors.
Zero-Day Exploit Details
The vulnerability resides in the browser’s JavaScript engine, V8, and allows for remote code execution (RCE). Threat actors exploiting this flaw can gain control over affected systems, deploy malware, and conduct surveillance operations. Google confirmed that the exploit has been used in targeted attacks against high-profile individuals and government entities.
It’s worth noting that CVE-2025-2783 is the first actively exploited Chrome zero-day since the start of the year. Kaspersky researchers Boris Larin and Igor Kuznetsov have been credited with discovering and reporting the shortcoming on March 20, 2025.
Espionage Campaign Attribution
Cyber security researchers have attributed this exploit’s usage to a Russian advanced persistent threat (APT) group, known for conducting cyber espionage operations against Western organisations. The campaign, which has been ongoing for several weeks, has primarily targeted government agencies, media outlets, and critical infrastructure providers.
Google’s Response and Mitigation
Google acted swiftly upon discovering the exploit, rolling out an urgent update for Chrome across Windows, macOS, and Linux platforms. Users are strongly advised to update their browsers immediately to mitigate the risk of exploitation.
How to Update Chrome:
Security Recommendations
Beyond updating Chrome, security experts recommend:
Ongoing Threat Monitoring
While Google has patched this specific vulnerability, Russian state-sponsored actors continue to adapt their tactics. Organisations should remain vigilant and apply cyber security best practices to defend against evolving threats.
For real-time updates on cyber security threats and mitigation strategies, stay connected with threat intelligence platforms and security advisories.
References:
Zero-Day Alert: Google Releases Chrome Patch for Exploit Used in Russian Espionage Attacks (thehackernews.com)
Google Hastily Patches Chrome Zero-Day Exploited by APT (darkreading.com)
Chrome Releases: Stable Channel Update for Desktop (chromereleases.googleblog.com)
CVE – CVE-2025-2783 (cve.mitre.org)
CISA Adds One Known Exploited Vulnerability to Catalog (cisa.gov)
Cyber security is facing a growing challenge: malware powered by artificial intelligence and polymorphism. These threats use AI tools to create code and change their appearance to slip past traditional antivirus, moving from small experiments to a major problem.
AI-Generated Malware
AI tools like ChatGPT and DeepSeek, originally built to help with tasks, can be tricked into making malware. Attackers use clever instructions, called prompts, to get around safety limits, asking the AI to “pretend” it’s a hacker or write code for a “test”. This tricks the AI into producing harmful programmes by guessing what comes next in a sequence, based on its huge library of examples. For instance, SentinelOne showed ChatGPT creating a keylogger, a programme that secretly records what you type, sent through OpenAI’s online service and run instantly on a computer. DeepSeek R1, when pushed with similar tricks, makes rough versions of ransomware, software that locks files, and keyloggers that hide their tracks, needing only small fixes to work. GhostGPT, a hacked version of ChatGPT sold on Telegram, churns out phishing emails and attack tools fast. With AI learning to tweak itself based on where it’s running, it stays ahead of old-school detection.
Polymorphic Malware
Polymorphic malware changes its look every time it spreads, making it tough for antivirus to spot with a fixed “fingerprint”. It does this with a special tool, a mutation engine, that scrambles its code by adding useless bits, swapping parts around, or rewriting commands in different ways. Adrozek spread across 15,300 web addresses, changing itself to mess with browsers and steal info. VirLock used shared apps and cloud storage to lock files for ransom, hiding its true form. SquareX’s Chrome extensions start harmless, like an AI helper, then shift to copy trusted tools (e.g., crypto wallets), turning off the real ones to grab data. This tricks browsers because they trust the extension at first, but don’t catch the sneaky changes later. AI makes this scrambling automatic, creating fresh versions every time.
The Perfect Storm: AI Meets Polymorphism
When AI teams up with polymorphism, it’s a double whammy. BlackMamba shows how, a harmless-looking programme contacts OpenAI’s service during an attack, pulling down a new keylogger that runs straight in the computer’s memory, never touching the hard drive where antivirus looks. It scrambles itself each time, mixing up code pieces or re-locking its secrets, to stay unique. Attackers can hide control instructions, known as ‘invisible C2’ in everyday web traffic, like normal chats with OpenAI’s service at api.openai.com, so nothing seems off. Sources note that they might slip secret messages into AI-written emails, perhaps using the first letter of each word for the malware to read, keeping the real orders out of sight. Some even let the malware decide its next move on its own, cutting out the need for a control server entirely. SquareX’s extensions add to this, changing on the fly to dodge detection. This mix of AI creation and constant shape-shifting pushes regular defences to the edge, needing smarter ways to catch it.
Real-World Scenarios
Fighting Back: Mitigation That Works
Conclusion
AI-generated and polymorphic malware aren’t just here, they’re speeding up, hitting browsers, emails, and anything they can sneak into. Every day they change, they test our defences, and the gaps are showing…. think locked files, stolen data, or systems turned inside out. Waiting around isn’t an option; we need sharpen our tools and move fast to stay ahead. Tomorrow’s fight starts today.
References:
BlackMamba ChatGPT Polymorphic Malware | A Case of Scareware or a Wake-up Call for Cyber Security? (sentinelone.com)
Shapeshifting Malware: Enigma Of Arrival (msn.com)
Invisible C2 — thanks to AI-powered techniques (securityboulevard.com)
Malicious “polymorphic” Chrome extensions can mimic other tools to trick victims (msn.com)
GhostGPT – New AI Black Hat Tool Used by Hackers to Generative Malware & Exploits (cybersecuritynews.com)
How to defend against AI-generated polymorphic malware (datasciencecentral.com)
DeepSeek and AI-Generated Malware Pose New Danger for Cybersecurity (secureworld.io)
Polymorphic Malware: Unmasking the Ever-Changing Threat (medium.com)
Phishing remains a prevalent and dangerous tactic employed by malicious actors. Recently, a sophisticated phishing campaign targeting Meta Business accounts has emerged, exploiting the urgency and trust associated with social media platforms.
Nature of the attack
The phishing campaign begins with an email masquerading as a critical alert from Meta, claiming that the recipient’s ads have been temporarily suspended due to violations of advertising policies or GDPR regulations. The email, designed to evoke a sense of urgency, prompts the user to click on a link to resolve the issue. This link redirects to a fraudulent page that closely mimics Meta’s official business support site.
Once on the fake landing page, victims are guided through a series of steps involving a deceptive chatbot or a supposed setup guide. The chatbot, appearing helpful, requests sensitive information such as business name, screenshots of Facebook Business settings, contact number, and personal profile information. The goal of the attacker is to hijack the victim’s Meta Business account by registering themselves as a secure login via the Authenticator App feature.
Risk
The risks associated with this phishing campaign are multifaceted and severe. Firstly, the attacker gains control over the victim’s Meta Business account, allowing them to bypass email recovery, lock the real user out, and run ads from the compromised account. This can lead to significant financial losses, reputational damage, and the dissemination of scams or malicious content to the victim’s audience.
Moreover, the attacker can steal valuable audience data, which can be used for further malicious activities or sold on the dark web. The inclusion of live agent support in the phishing scheme adds an additional layer of deception, making it difficult for users to discern the legitimacy of the communication. This sophisticated approach underscores the importance of vigilance and scepticism when dealing with unsolicited communications.
Conclusion
The emergence of this phishing campaign targeting Meta Business accounts highlights the evolving tactics of cyber criminals and the need for robust cyber security measures. Users must remain vigilant and verify the authenticity of emails and websites before providing any sensitive information. Employing multi-factor authentication, regularly updating passwords, and educating employees about phishing threats are crucial steps in mitigating the risk of such attacks.
The Human Risk Management module from Norm can educate users on how to spot a likely malicious link. With this education, not only would users be more aware of the tactics used by attackers but also the content will enable them to exercise caution when clicking on suspicious links. It is also recommended to take a minute to assess a link before clicking and never give any remote access to your device.
References:
Don’t Click! Fake Chat Used in Meta Business Account Phishing (securityonline.info)
Clickbait to Catastrophe: How a Fake Meta Email Leads to Password Plunder (cofense.com)
Norm tracks and monitors the latest security trends and cyber threats and collates these into a fortnightly threat bulletin.
You can receive this bulletin for free, every fortnight, by entering your business email address below:
