Kaspersky’s Global Research and Analysis Team or GReAT has uncovered evidence linking HackingTeam successor, Memento Labs, to a new wave of cyber-espionage attacks, said a press release.
The discovery stems from an investigation into Operation ForumTroll, an Advanced Persistent Threat campaign that exploited a zero-day vulnerability in Google Chrome.
The research was presented at Security Analyst Summit 2025 in Thailand, which took place from October 26 to 29.
In March 2025, Kaspersky GReAT uncovered Operation ForumTroll, a cyber-espionage campaign exploiting Chrome zero-day CVE-2025-2783 via phishing emails targeting Russian entities.
The attackers used LeetAgent spyware, linked to the advanced Dante spyware by Memento Labs, formerly HackingTeam, showing shared frameworks and code similarities with HackingTeam’s Remote Control System.
‘While the existence of spyware vendors is well-known in the industry, their products remain elusive, particularly in targeted attacks where identification is exceptionally challenging,’ said Boris Larin, principal security researcher at Kaspersky GReAT.
‘Uncovering Dante origin demanded peeling back layers of heavily obfuscated code, tracing a handful of rare fingerprints across years of malware evolution, and correlating them with a corporate lineage. Maybe it is the reason they called it Dante, there is a hell of a journey for anyone who would try to find its roots,’ Boris added.
Dante evades detection through environment checks. ForumTroll, active since 2022, targets Russia and Belarus, showing fluent yet non-native Russian proficiency.
The attack leveraging LeetAgent was first detected by Kaspersky Next XDR Expert. The full details of this research, as well as future updates on ForumTroll APT and Dante, are available to customers of the APT reporting service through Kaspersky Threat Intelligence Portal.
