Moscow (© 2025 Afriquinfos) – Kaspersky’s Global Research and Analysis Team (GReAT) has uncovered evidence linking Memento Labs (the successor to HackingTeam) to a new wave of cyberespionage attacks. This discovery is the result of an investigation into Operation ForumTroll, an advanced persistent threat (APT) campaign exploiting a zero-day vulnerability in Google Chrome. The results of this research were presented at the Security Analyst Summit 2025, held in Thailand.
In March 2025, Kaspersky GReAT researchers uncovered Operation ForumTroll, a sophisticated cyberespionage campaign exploiting a Chrome zero-day vulnerability, CVE-2025-2783. The APT group behind the attack sent personalized phishing emails posing as invitations to the Primakov Readings forum, targeting Russian media outlets, educational institutions, financial institutions and government organizations.
By investigating ForumTroll, researchers discovered the use of LeetAgent spyware, which is distinguished by its commands written in leet speaka rare characteristic for APT malware. Further analysis revealed similarities between LeetAgent’s tools and more advanced spyware that Kaspersky has studied in other attacks. After determining that, in some cases, the latter was launched by LeetAgent, and that the two share a loading framework, the researchers confirmed the link between the two spywares as well as between the attacks.
Although the second spyware used advanced anti-analysis techniques, such as VMProtect obfuscation, Kaspersky managed to extract the name of the malware from its code: Dante. Researchers discovered that commercial spyware of the same name was promoted by Memento Labs, the new name for HackingTeam. Additionally, the most recent samples of HackingTeam’s Remote Control System spyware, obtained by Kaspersky GReAT, show similarities to Dante.
«The existence of spyware suppliers is well known, but their products remain difficult to identify, especially during targeted attacks where their detection is particularly complex. Uncovering Dante’s origins required peeling back layers of heavily obfuscated code, tracing specific fingerprints through years of malware evolution history, and correlating them to a corporate lineage. Maybe that’s why they called him Dante, because looking for his origins is a real ordeal.», said Boris Larin, Senior Security Researcher at Kaspersky GReAT.
To circumvent detection, Dante incorporates a unique method to scan its environment before determining whether or not it can discretely deploy.
Researchers were able to trace the first use of LeetAgent to 2022, and discovered other APT ForumTroll attacks targeting organizations and individuals in Russia and Belarus. The group is notable for its fluency in Russian and knowledge of local linguistic intricacies, traits Kaspersky has observed in other campaigns linked to the group. However, occasional errors suggest the attackers were not native speakers.
The attack exploiting LeetAgent was first detected by the Kaspersky Next XDR Expert solution. Full details of this analysis, as well as future updates on ForumTroll and Dante, are available to APT reporting service customers, via the Kaspersky Threat Intelligence portal.
Africainfos
