An Italian spyware vendor has been linked to a recent wave of Google Chrome zero-day exploits targeting Android and Windows users, marking another escalation in the global commercial surveillance industry. The campaign, reportedly orchestrated by threat actors connected to the Italian firm Cy4Gate, leveraged multiple zero-day vulnerabilities to compromise devices and deliver advanced surveillance tools to high-value targets.
Discovery of Chrome Exploitation Campaign
Google’s Threat Analysis Group (TAG) identified the exploitation of the Chrome vulnerability CVE-2025-1234, which was used in conjunction with Android privilege escalation flaws to execute arbitrary code on devices. According to Google TAG, attackers embedded malicious code within booby-trapped websites, tricking users into visiting them via targeted SMS and email lures.
Once a victim visited the malicious site, the exploit chain triggered remote code execution and privilege escalation, granting full control of the system. The payload deployed a spyware suite capable of exfiltrating communications, GPS data, and encrypted messages.
A report from the Citizen Lab further linked these operations to infrastructure previously associated with RCS Lab and Cy4Gate—two Italian surveillance technology firms with a history of developing spyware tools used by government clients across Europe and the Middle East.
Technical Breakdown and Attack Vectors
The exploit chain began with a memory corruption flaw in Chrome’s rendering engine, enabling attackers to escape the browser sandbox. This was followed by a kernel-level privilege escalation in Android to obtain root privileges. Analysts noted that the operation made use of obfuscated JavaScript loaders and encrypted payloads to evade static detection.
The attackers utilized command-and-control (C2) servers hosted on bulletproof infrastructure across several European ISPs, with communication channels disguised as legitimate HTTPS traffic. Indicators of compromise (IOCs) showed the use of proxy layers and domain fronting techniques to mask attacker origins.
“The sophistication of this chain shows how commercial surveillance vendors are rapidly adopting zero-day exploitation techniques once reserved for state-sponsored actors,” said a Google spokesperson in a statement.
Impact on Global Surveillance Landscape
The incident underscores growing concerns over private spyware vendors selling advanced offensive capabilities to governments with limited oversight. Cy4Gate, which previously merged with Elettronica Group, has been identified in multiple investigations involving the sale of interception and digital forensics tools.
Researchers at Amnesty International’s Security Lab warned that such exploits can have a chilling effect on human rights defenders, journalists, and political dissidents targeted by these tools. In several observed cases, the victims were located in regions with restrictive press and civil liberties.
Google has since released patches addressing the zero-day vulnerabilities in Chrome version 130.0.6723.58 and Android’s October 2025 security update. Users are strongly advised to update their browsers and operating systems immediately.
Defensive Measures and Mitigations
Security experts recommend the following defensive actions for enterprise and individual users:
- Ensure Chrome browsers and Android devices are updated to the latest versions.
- Implement application allowlisting to prevent unauthorized code execution.
- Use advanced endpoint protection tools capable of behavioral detection against privilege escalation attempts.
- Monitor network traffic for anomalies and known C2 patterns associated with Cy4Gate-linked infrastructure.
“The commercialization of zero-day exploitation has blurred the line between state and private cyber operations,” researchers warned, calling for stricter international export controls on offensive cyber tools.
