Kaspersky Global Research and Analysis Team (GReAT) has uncovered evidence linking the HackingTeam successor, Memento Labs, to a new wave of cyberespionage attacks. The discovery stems from an investigation into Operation ForumTroll, an Advanced Persistent Threat (APT) campaign that exploited a zero-day vulnerability in Google Chrome. The research was presented at the Security Analyst Summit 2025, taking place in Thailand.
In March 2025, Kaspersky GReAT brought to light Operation ForumTroll, a sophisticated cyberespionage campaign exploiting a Chrome zero-day vulnerability, CVE-2025-2783. The APT group behind the attack sent personalized phishing emails disguised as invitations to the Primakov Readings forum, targeting Russian media outlets, government organizations, educational and financial institutions.
While investigating ForumTroll, researchers identified that the attackers used a spyware LeetAgent, which stood out due to its commands written in leetspeak, a rare feature in APT malware. Further analysis uncovered similarities between its toolset and a more advanced spyware that Kaspersky GReAT has observed in other attacks. After determining that, in some cases, the latter was launched by LeetAgent or that they shared a loader framework, researchers confirmed the connection between the two, as well as between the attacks.
Although the other spyware employed advanced anti-analysis techniques, including VMProtect obfuscation, Kaspersky retrieved the malware’s name from the code and identified it as Dante. The researchers discovered that a commercial spyware with the same name was promoted by Memento Labs, the rebranded successor to HackingTeam. Additionally, the most recent samples of HackingTeam's Remote Control System spyware, obtained by Kaspersky GReAT, share similarities with Dante.
“While the existence of spyware vendors is well-known in the industry, their products remain elusive, particularly in targeted attacks where identification is exceptionally challenging. Uncovering Dante origin demanded peeling back layers of heavily obfuscated code, tracing a handful of rare fingerprints across years of malware evolution, and correlating them with a corporate lineage. Maybe it is the reason they called it Dante, there is a hell of a journey for anyone who would try to find its roots”, said Boris Larin, principal security researcher at Kaspersky GReAT.
To avoid detection, Dante incorporates a unique way of analyzing its environment before determining whether it can safely carry out its functions.
The researchers traced the first use of LeetAgent back to 2022 and discovered additional attacks by ForumTroll APT targeting organizations and individuals in Russia and Belarus. The group stands out for its strong command of Russian and knowledge of local nuances, traits that Kaspersky observed in other campaigns linked to this APT threat. However, occasional errors suggest that the attackers were not native speakers.
The attack leveraging LeetAgent was first detected by Kaspersky Next XDR Expert. The full details of this research, as well as future updates on ForumTroll APT and Dante, are available to customers of the APT reporting service through Kaspersky Threat Intelligence Portal.
For more details and indicators of compromise, see the article on Securelist.com.
