Time to Patch: Google Chrome Flaw Used to Spread Spyware

Google has patched a previously unknown vulnerability in the Chrome browser that was used to deliver spyware to Russian users. 

The zero-day vulnerability, dubbed CVE-2025-2783, created an attack that could infect a Windows PC if the user clicked on a malicious link, according to antivirus provider Kaspersky, which discovered the threat. 

“In mid-March 2025, Kaspersky detected a wave of infections triggered when users clicked personalized phishing links delivered via email,” the company said. “After clicking, no additional action was needed to compromise their systems.”

This Tweet is currently unavailable. It might be loading or has been removed.

The flaw involves “a logical error at the intersection of Google Chrome’s sandbox and the Windows operating system”—the Mojo programming language for Windows, Kaspersky added in a blog post.

Moscow-based Kaspersky also says the hackers behind the attack targeted Russian users by sending phishing emails to “media outlets, educational institutions, and government organizations in Russia.” The emails invited recipients to attend the Primakov Readings, an international summit focused on politics and economics that’ll be held in Moscow in June. 

(Credit: Kaspersky)

“The malicious links were extremely short-lived to evade detection, and in most cases ultimately redirected to the legitimate website for ‘Primakov Readings’ once the exploit was taken down,” Kaspersky said. 

The antivirus provider also suspects a state-sponsored hacking group engineered the attack, which can bypass the “sandbox” protections on Chrome designed to isolate malware.  

“The technical sophistication displayed here indicates development by highly skilled actors with substantial resources. We strongly advise all users to update their Google Chrome and any Chromium-based browser to the latest version to protect against this vulnerability,” says Kaspersky security researcher Boris Larin.

Microsoft is also working on a fix for its Edge browser, which uses the Chromium engine.

It’s also possible the attack used a second zero-day vulnerability in Chrome. Kaspersky was only able to uncover details of the sandbox escape method for the attack — not the initial exploit used to trigger the remote code execution. “Fortunately, patching the vulnerability used to escape the sandbox effectively blocks the entire attack chain,” the antivirus provider said.  

Kaspersky reported its findings to Google last week. The search giant then released an emergency patch for Chrome on Windows on Tuesday, version 134.0.6998.178. 

Kaspersky plans to release more details, including the spyware delivered, once most users have had a chance to install the patch.

SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.”,”first_published_at”:”2021-09-30T21:22:09.000000Z”,”published_at”:”2025-01-23T16:44:01.000000Z”,”last_published_at”:”2025-01-23T16:43:49.000000Z”,”created_at”:null,”updated_at”:”2025-01-23T16:44:01.000000Z”})” x-show=”showEmailSignUp()” x-intersect.once=’window.trackGAImpressionEvents(“pcmag-on-site-newsletter-block”, “SecurityWatch”, $el)’ readability=”32.838445807771″>

Like What You’re Reading?

Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.

This newsletter may contain advertising, deals, or affiliate links.
By clicking the button, you confirm you are 16+ and agree to our
Terms of Use and
Privacy Policy.
You may unsubscribe from the newsletters at any time.

About Michael Kan

Senior Reporter

I’ve been working as a journalist for over 15 years—I got my start as a schools and cities reporter in Kansas City and joined PCMag in 2017.

Read Michael’s full bio

Read the latest from Michael Kan