(Gabby Jones/Bloomberg via Getty Images)
Google has patched a previously unknown vulnerability in the Chrome browser that was used to deliver spyware to Russian users.
The zero-day vulnerability, dubbed CVE-2025-2783, created an attack that could infect a Windows PC if the user clicked on a malicious link, according to antivirus provider Kaspersky, which discovered the threat.
"In mid-March 2025, Kaspersky detected a wave of infections triggered when users clicked personalized phishing links delivered via email,” the company said. “After clicking, no additional action was needed to compromise their systems.”
The flaw involves "a logical error at the intersection of Google Chrome’s sandbox and the Windows operating system"—the Mojo programming language for Windows, Kaspersky added in a blog post.
Moscow-based Kaspersky also says the hackers behind the attack targeted Russian users by sending phishing emails to “media outlets, educational institutions, and government organizations in Russia." The emails invited recipients to attend the Primakov Readings, an international summit focused on politics and economics that’ll be held in Moscow in June.
(Credit: Kaspersky)“The malicious links were extremely short-lived to evade detection, and in most cases ultimately redirected to the legitimate website for ‘Primakov Readings’ once the exploit was taken down,” Kaspersky said.
The antivirus provider also suspects a state-sponsored hacking group engineered the attack, which can bypass the “sandbox” protections on Chrome designed to isolate malware.
“The technical sophistication displayed here indicates development by highly skilled actors with substantial resources. We strongly advise all users to update their Google Chrome and any Chromium-based browser to the latest version to protect against this vulnerability,” says Kaspersky security researcher Boris Larin.
Microsoft is also working on a fix for its Edge browser, which uses the Chromium engine.
It’s also possible the attack used a second zero-day vulnerability in Chrome. Kaspersky was only able to uncover details of the sandbox escape method for the attack — not the initial exploit used to trigger the remote code execution. “Fortunately, patching the vulnerability used to escape the sandbox effectively blocks the entire attack chain," the antivirus provider said.
Kaspersky reported its findings to Google last week. The search giant then released an emergency patch for Chrome on Windows on Tuesday, version 134.0.6998.178.
Kaspersky plans to release more details, including the spyware delivered, once most users have had a chance to install the patch.