Chrome Zero-Day Exploited by Spyware Vendor; ChatGPT Atlas Browser Flaw Revealed

Recent revelations highlight critical security threats impacting widely used browser environments. Multiple zero-day vulnerabilities in Google Chrome have been actively exploited in targeted attacks, with attribution linking activities to sophisticated threat actors including the Italian spyware vendor, Memento Labs. Concurrently, new exploits have been identified in AI-powered browsers, enabling attackers to plant persistent hidden commands through crafted URLs and manipulated content. These incidents underscore the sophisticated landscape of browser-based threats and the continuous need for vigilance and timely updates.

Chrome Zero-Day: Operation ForumTroll & Memento Labs Spyware

Vulnerability Overview

• CVE ID: CVE-2025-2783
• Severity: Critical (Actively Exploited Zero-Day)
• Vulnerability Type: Logic bug in Chromium's Mojo IPC system leading to sandbox escape
• Affected Component: Google Chrome browser and all Chromium-based browsers
• Affected Versions: Versions prior to Chrome 134.0.6998.177/.178
• Platforms: Windows, macOS, Linux, Android, iOS
• Exploitation Status: Actively exploited as a zero-day in targeted attacks (Operation ForumTroll)
• Discovery Date: Exploited in March 2025, disclosed October 27-28, 2025
• Discoverer: Kaspersky researchers

Technical Details

Kaspersky researchers revealed that a sophisticated Chrome zero-day vulnerability exploited earlier this year in Operation ForumTroll is linked to Memento Labs, the successor to the infamous Italian spyware vendor Hacking Team, as detailed by BleepingComputer and Security Affairs. This revelation exposes the ongoing threat from commercial spyware vendors in state-sponsored cyber-espionage operations.

The vulnerability exploits an obscure Windows operating system quirk involving pseudo handles. The attack chain demonstrates sophisticated technical capabilities:

• Attack Vector: Logic bug in Chromium's Mojo IPC (Inter-Process Communication) system
• Exploitation Method: Mishandling of Windows pseudo handles (-1, -2) returned by GetCurrentThread and GetCurrentProcess API functions. These special values represent the current thread or process but are not real handles. When passed between Chrome processes via Mojo IPC, they were not properly validated, allowing attackers to manipulate process handles.
• Impact: Allows attackers to bypass Chrome's robust sandbox protections and achieve full system compromise with arbitrary code execution
• Delivery: Targeted phishing emails with personalized, short-lived malicious links, as confirmed by Security.nl and CybersecurityNews.com. Simply clicking the link in any Chromium-based browser was sufficient to trigger infection—no downloads or additional user interaction required.
• Affected Systems: The vulnerability affects all Chromium-based browsers on Windows systems due to the Windows-specific pseudo handle behavior

The Dante Spyware Connection

Kaspersky traced the malware used in these attacks back to 2022, linking it to Dante, a commercial spyware product from Memento Labs. The investigation uncovered a multi-layered espionage infrastructure:

• LeetAgent Spyware: Initial-stage modular spyware using leetspeak-based commands (e.g., "ph0t0gr4ph" for screenshots, "w4lkm3" for directory traversal). Capabilities include:
  • Keylogging and clipboard monitoring
  • File theft targeting documents, PDFs, spreadsheets, and archives
  • Remote command execution
  • Screenshot capture
  • System information gathering
• Dante Spyware: Advanced commercial implant featuring:
  • VMProtect obfuscation for code protection
  • Sophisticated anti-debugging checks
  • Advanced anti-analysis techniques to evade detection
  • Comprehensive surveillance capabilities
• Attribution Confidence: High-confidence attribution based on code overlaps between the exploit delivery mechanism, malware loader, and Dante spyware samples
• Target Profile: Russian and Belarusian entities including:
  • Media outlets and journalists
  • Universities and research centers
  • Government organizations
  • Financial institutions
• Infrastructure: Attackers used compromised legitimate websites to host exploit code, making detection more difficult

Patch Information

Google released emergency security updates to address CVE-2025-2783:

• Patched Versions: Chrome 134.0.6998.177/.178 (released October 2025)
• Related Firefox Patch: Following Google's disclosure, Mozilla developers identified a similar sandbox escape pattern in Firefox's IPC code. Firefox addressed this with CVE-2025-2857, patched in Firefox 136.0.4, Firefox ESR 128.8.1, and Firefox ESR 115.21.1
• Chromium-Based Browsers: All browsers based on Chromium (Microsoft Edge, Brave, Opera, Vivaldi) are affected and should be updated as vendor patches become available
• Update Method: Chrome updates typically roll out automatically. Users should manually verify through Settings > About Chrome to ensure immediate protection

Recommended Actions

• Update Chrome to version 134.0.6998.177/.178 or later immediately
• Update Firefox to 136.0.4 or later (Windows users)
• Update all Chromium-based browsers (Edge, Brave, Opera, Vivaldi)
• Enable Enhanced Safe Browsing in Chrome for additional protection
• Exercise extreme caution with unsolicited emails containing links, especially personalized messages
• Monitor for indicators of compromise including:
  • Suspicious Base64-named folders in system directories
  • Unusual browser behavior or performance degradation
  • Unexpected network connections from browser processes
  • New scheduled tasks or startup items
• Organizations should deploy endpoint detection and response (EDR) solutions to detect post-exploitation activities
• Review system logs for suspicious file operations targeting sensitive documents

Perplexity Comet Browser: Multiple Critical Vulnerabilities

Overview

Security researchers have uncovered fundamental security flaws in AI-powered "agentic" browsers that pose unprecedented risks to user privacy and security. The Perplexity Comet browser, which integrates AI assistance directly into web browsing, has been found to contain multiple critical vulnerabilities that allow attackers to manipulate the AI system and exfiltrate sensitive user data.

Vulnerability 1: Indirect Prompt Injection via Web Content

Vulnerability Details

• First Disclosed: August 20, 2025 by Brave Security Team, with updated findings published October 21, 2025 in Brave's security research blog
• Severity: Critical
• Attack Vector: Malicious instructions embedded in websites using hidden text techniques
• Status: Partially mitigated but fundamental vulnerability persists

Technical Details

This vulnerability exploits how AI-powered browsers process and interpret web content. The attack works as follows:

• Hidden Text Techniques: Attackers embed malicious instructions in websites using:
  • White text on white backgrounds (invisible to users)
  • HTML comments
  • Zero-width characters
  • CSS positioning to move text off-screen
• Attack Flow:
  1. User navigates to a compromised website (e.g., a forum, blog, or legitimate site with injected content)
  2. User asks Comet to "Summarize this webpage" or similar AI-assisted task
  3. The browser feeds all webpage content—including hidden malicious instructions—directly to the LLM
  4. The AI cannot distinguish between legitimate user commands and attacker-controlled instructions
  5. Hidden commands execute with full user privileges
• Impact: Attackers can:
  • Steal account credentials from authenticated sessions
  • Extract one-time passwords (OTPs) from email or authenticator apps
  • Access data from other open tabs (Gmail, banking, corporate systems)
  • Exfiltrate sensitive information to attacker-controlled servers
  • Manipulate user data across connected services
• Real-World Example: A hidden command in a Reddit comment can instruct Comet to access Gmail in another tab, search for messages containing "verification code," extract the OTP, and send it to an attacker's server—all without user knowledge

Vulnerability 2: Screenshot-Based Prompt Injection

Vulnerability Details

• Disclosed: October 21, 2025 by Brave Security Team in their unseeable prompt injections research
• Severity: Critical
• Attack Vector: Steganographic text in screenshots processed by AI
• Status: Unpatched and actively exploitable

Technical Details

This represents a novel attack vector that exploits Comet's screenshot analysis feature:

• Steganography Technique: Attackers use faint light blue text (#0101FE) on yellow backgrounds—invisible to human eyes but detectable by OCR systems
• Attack Flow:
  1. User visits a compromised webpage containing steganographic malicious instructions
  2. User takes a screenshot (using Comet's built-in feature or OS screenshot tool)
  3. Comet's OCR extracts text from the screenshot, including invisible malicious commands
  4. Extracted instructions are fed directly to the AI system without filtering or validation
  5. AI executes commands with full access to all authenticated user sessions
• Critical Security Flaw: The AI operates with the user's full privileges across all authenticated sessions, including:
  • Banking and financial accounts
  • Email and cloud storage
  • Corporate systems and internal tools
  • Social media accounts
  • Any service where the user is logged in
• Cross-Domain Access: Unlike traditional web security models with same-origin policy restrictions, the AI assistant can access and manipulate data across all domains simultaneously
• Persistence: Malicious instructions can persist across sessions if stored in Comet's context memory

Vulnerability 3: CometJacking Attack

Vulnerability Details

• Disclosed: October 2025 by Security Research
• Severity: Critical
• Attack Vector: Weaponized URLs containing malicious prompts
• Status: Partially mitigated with Base64-encoding detection, but bypasses exist

Technical Details

This attack demonstrates how a single malicious URL can compromise an entire AI browser session:

• Attack Method: Crafted URLs containing malicious prompts in query parameters (e.g., https://example.com/?prompt=MALICIOUS_COMMAND)
• Bypass Technique: Simple Base64-encoding to evade basic data exfiltration protections implemented by Perplexity
• Exploitation Process:
  1. Attacker sends victim a malicious URL via email, chat, or social media
  2. Victim clicks the link, opening it in Comet browser
  3. Embedded prompt activates and hijacks the AI assistant
  4. AI assistant accesses connected services (Gmail, Calendar, etc.)
  5. Sensitive data is extracted and exfiltrated to attacker infrastructure
• No Credential Theft Needed: The attack exploits the fact that the browser already has authorized access to user accounts—no password stealing required
• Data Theft Capabilities:
  • Email contents and attachments from Gmail
  • Calendar appointments and meeting details
  • Contact information
  • Documents from connected cloud storage
  • Data from any integrated third-party applications

The Fundamental Problem: Prompt Injection

Security experts, including prominent AI security researcher Simon Willison, emphasize that prompt injection represents a systemic challenge facing all AI-powered systems:

"To an LLM, the trusted instructions and untrusted content are concatenated together into the same stream of tokens. Despite nearly three years of research, nobody has demonstrated a convincing and effective way of distinguishing between the two."

Key insights from industry experts:

• OpenAI CISO Dane Stuckey: "Prompt injection remains a frontier, unsolved security problem in AI systems"
• Perplexity Security Team: "It demands rethinking security from the ground up—traditional web security models are insufficient"
• Brave Security Research: "Indirect prompt injection is not an isolated issue, but a systemic challenge facing the entire category of AI-powered browsers"

Vendor Response and Concerns

Perplexity's response to these vulnerabilities has raised concerns in the security community:

• Incomplete Fixes: Brave Security confirmed on October 21, 2025, that patches remain incomplete and vulnerabilities persist
• "No Security Impact" Classification: Perplexity has classified some findings as having "no security impact" despite researchers demonstrating working proof-of-concept attacks that exfiltrate real user data
• Base64 Detection Bypassed: Simple encoding-based protections have proven ineffective, with researchers demonstrating trivial bypasses
• Systemic Issue Recognition: While Perplexity acknowledges the systemic nature of prompt injection, effective mitigations have not been implemented

Implications

These vulnerabilities represent a fundamental security crisis for AI-powered browsers:

• Covert Surveillance: Attackers can monitor user activities across all browsing sessions without detection
• Data Manipulation: Malicious actors can modify, delete, or exfiltrate sensitive information
• Unauthorized Access: Complete compromise of all authenticated sessions and connected services
• Persistent Compromise: Long-term access through hidden commands that persist across sessions
• Detection Challenges: Traditional security tools cannot detect AI-based attacks as malicious behavior appears as legitimate user actions
• Traditional Security Failures: Same-origin policy, CORS, and other web security mechanisms are ineffective against AI agents operating across domains

Recommended Actions

For Individual Users:

• Avoid AI Browser Features: Until stronger protections are implemented, consider avoiding agentic browser features entirely for sensitive tasks
• Limit Sensitive Sessions: Do not keep banking, email, or other sensitive accounts logged in while using AI browser features
• Separate Browsing Contexts: Use different browsers or profiles—one for AI-assisted browsing and another for sensitive activities
• Treat with Extreme Caution: View all AI browser agent features as inherently risky and unproven technology
• Monitor for Updates: Watch for official security advisories and patches from Perplexity and other AI browser vendors
• Be Skeptical of Links: Exercise extreme caution with all external links when using AI browsers, even from seemingly trusted sources
• Disable Screenshot Features: Avoid using AI screenshot analysis features on pages with untrusted content
• Review Permissions: Regularly audit what services and data your AI browser can access

For Organizations:

• Policy Restrictions: Consider prohibiting AI-powered browser usage for corporate activities until security matures
• Network Isolation: If AI browsers must be used, isolate them on separate networks without access to sensitive corporate resources
• Data Loss Prevention: Implement DLP solutions to monitor and block unauthorized data exfiltration
• User Education: Train employees about AI browser risks and prompt injection attacks
• Incident Response Planning: Develop response procedures for potential AI browser compromises
• Access Controls: Restrict which employees can use AI browser features and for what purposes
• Monitoring: Log and monitor AI browser activity for suspicious patterns

ChatGPT Atlas Browser Vulnerability: Persistent Hidden Commands

Overview

A significant security flaw has been discovered in the 'ChatGPT Atlas Browser,' a specialized browser environment associated with OpenAI's large language models. This vulnerability allows attackers to leverage crafted URLs to plant persistent, hidden commands within the browser, posing a substantial risk to users. This issue was initially reported by The Hacker News and corroborated by Security Affairs.

Key Findings / Implementation Details

The core of the vulnerability lies in how the ChatGPT Atlas Browser processes and interprets specially crafted or 'fake' URLs, as detailed by The Hacker News. Key characteristics include:

• Attack Vector: Specially engineered URLs that appear legitimate but contain embedded commands
• Command Execution: The browser executes commands hidden within URL structures
• Persistence Mechanism: Commands persist across browser sessions, creating a backdoor effect
• No Additional Interaction Required: Initial click on the malicious URL is sufficient—no downloads or further user actions needed
• Dangerous Command Execution: Capability to run arbitrary commands within the OpenAI environment
• Potential Impacts:
  • Data exfiltration from ChatGPT sessions and connected accounts
  • Unauthorized actions within the OpenAI environment
  • Manipulation of AI responses and behaviors
  • Potential broader system compromise if combined with other exploits
  • Long-term surveillance of user activities

Implications

For users of the ChatGPT Atlas Browser, this flaw presents serious security risks:

• Covert Surveillance: Attackers can monitor user interactions with ChatGPT without detection
• Data Manipulation: Ability to alter, extract, or delete sensitive information from conversations
• Unauthorized Access: Potential access to connected services and integrations
• Persistent Compromise: Single successful exploitation can have lasting effects across multiple sessions
• Detection Challenges: Hidden nature of commands makes identification and remediation difficult
• Chain Attack Potential: May be combined with other vulnerabilities for escalated access

Recommended Actions

• Link Caution: Treat all external links with extreme suspicion when using ChatGPT Atlas Browser
• Limit Sensitive Use: Avoid using the browser for sensitive tasks or discussions until official patches are available
• Monitor for Patches: Closely watch for official security advisories from OpenAI regarding this vulnerability
• Session Hygiene: Regularly clear browser sessions and restart the application
• Verify URLs: Carefully inspect URLs before clicking, looking for unusual parameters or structures
• Separate Contexts: Use different browsers or environments for ChatGPT versus other sensitive activities
• Report Suspicious Behavior: Immediately report any unusual browser behavior to OpenAI security team
• Network Monitoring: Monitor network traffic for unexpected data exfiltration from ChatGPT sessions

References

1. New ChatGPT Atlas Browser Exploit Lets Attackers Plant Persistent Hidden Commands - The Hacker News
2. ChatGPT Atlas Browser Can Be Tricked by Fake URLs into Executing Hidden Commands - The Hacker News
3. Italian spyware vendor linked to Chrome zero-day attacks - BleepingComputer
4. Chrome 0-Day Vulnerability Actively Exploited in Attacks by Notorious Hacker Group - CybersecurityNews.com
5. Google Chrome-gebruikers via link in phishingmail geïnfecteerd met spyware - Security.nl
6. Memento Labs, the ghost of Hacking Team, has returned — or maybe it was never gone at all. - Security Affairs
7. Crafted URLs can trick OpenAI Atlas into running dangerous commands - Security Affairs
8. Google Chrome Official Website - Google
9. Google Chrome Releases Blog - Google
10. Mozilla Security Advisories - Mozilla
11. Unseeable Prompt Injections in Perplexity Comet Browser - Brave Security
12. CISA Known Exploited Vulnerabilities Catalog - CISA
13. Kaspersky Research: Operation ForumTroll and Memento Labs Investigation (October 2025)