Cybersecurity firm Kaspersky’s Global Research and Analysis Team (GReAT) has discovered new spyware linked to Memento Labs, the company that took over from HackingTeam, after investigating a cyberespionage campaign called Operation ForumTroll.
According to Kaspersky, Operation ForumTroll used a zero-day vulnerability in Google Chrome to target Russian media outlets, government agencies, schools, and financial institutions. The attackers sent phishing emails disguised as invitations to the Primakov Readings forum.
During the investigation, Kaspersky researchers discovered spyware called LeetAgent, known for its commands written in “leetspeak,” a rare coding style in advanced malware. Further analysis revealed that LeetAgent shared tools and code with another spyware called Dante, suggesting that the same developers or partners were behind both.
“While the existence of spyware vendors is well-known in the industry, their products remain elusive, particularly in targeted attacks where identification is exceptionally challenging,” said Boris Larin, principal security researcher at Kaspersky GReAT.
Kaspersky identified Dante as a commercial spyware promoted by Memento Labs. The company was formed after HackingTeam rebranded, and Dante shares similarities with HackingTeam’s older Remote Control System spyware.
“Uncovering Dante’s origin demanded peeling back layers of heavily obfuscated code, tracing a handful of rare fingerprints across years of malware evolution, and correlating them with a corporate lineage,” Larin said. “Maybe it is the reason they called it Dante, there is a hell of a journey for anyone who would try to find its roots.”
Researchers said Dante uses advanced methods to check its surroundings before running its spyware functions to avoid being detected.
Kaspersky traced LeetAgent’s earliest use to 2022 and found that the ForumTroll group had also targeted organizations and individuals in Russia and Belarus. The attackers showed a strong command of the Russian language and familiarity with local contexts, although some linguistic errors indicated they were not native speakers.