A new Kaspersky investigation has traced a string of cyber-espionage campaigns — targeting Russian and Belarusian institutions — to Memento Labs, the Italian successor to the infamous Hacking Team. The discovery revives old fears about commercial spyware’s persistence, exposing how remnants of a disbanded surveillance industry continue to fuel new global threats.
A Familiar Signature in a New Espionage Campaign
When Kaspersky analysts stumbled upon a sophisticated phishing operation in early 2025, the digital trail led back to an unexpected source — a defunct Italian surveillance firm once accused of selling spyware to authoritarian regimes. The campaign, dubbed Operation ForumTroll, lured victims from Russian and Belarusian media, academic, and government sectors under the guise of the Primakov Readings Forum, a respected policy event.
Victims were infected merely by visiting compromised Chrome pages embedded with short-lived phishing links. The attacks exploited a previously unknown sandbox escape flaw — later patched as CVE-2025-2783 — allowing code execution within the browser. A similar exploit, CVE-2025-2857, also affected Firefox, suggesting a cross-browser espionage toolkit.
Tracing the Digital DNA: From Hacking Team to Memento Labs
Kaspersky’s forensic reconstruction uncovered telling patterns. The malware’s validator script, which verified real victims using WebGPU, communicated with its command server via elliptic-curve Diffie–Hellman encryption — a level of sophistication pointing to a state-sponsored actor.
Once inside, the spyware leveraged Chrome’s IPC handling flaws to bypass sandbox protections and install payloads via COM hijacking, embedding itself deep within system processes.
The operation’s centerpiece, a custom spyware implant dubbed LeetAgent, supported remote code execution, keylogging, and file exfiltration. Commands written in leetspeak — a form of stylized hacker slang — controlled the infected machines through HTTPS servers often hosted on Fastly.
After deobfuscation, analysts discovered code overlaps with Dante, the advanced commercial spyware once developed by Memento Labs — previously known as the Hacking Team. That connection, Kaspersky noted, was not circumstantial: it was genetic.
The Return of Dante
Originally engineered as a successor to Hacking Team’s Remote Control System (RCS), Dante had been believed obsolete after the Italian firm’s 2019 reboot. Yet, Kaspersky’s analysis revealed that Memento Labs continued refining its code until 2022, before replacing it entirely with the newer implant. The malware used VMProtect for obfuscation, anti-debugging and anti-sandbox checks, and an AES-encrypted orchestrator to manage communications, module loading, and self-removal — hallmarks of an espionage-grade toolkit.
Investigators found Dante’s digital fingerprints embedded in ForumTroll’s payloads. “Similarities in the code suggest that Operation ForumTroll was carried out using tools developed by Memento Labs,” the Kaspersky report concluded. Even with renamed binaries and stripped product information, the DNA remained recognizable.
“Once we removed VMProtect’s obfuscation, we found the malware name in the code,” Kaspersky wrote — a rare direct attribution in the opaque world of commercial spyware.
A Repeating Cycle of Reinvention
Kaspersky’s final report outlined three troubling takeaways.
- First, the Windows API function DuplicateHandle still exposes exploitable conditions in privileged processes — a flaw central to the Chrome attack chain.
- Second, attribution, while elusive, remains “the hardest yet most rewarding aspect of threat intelligence,” likened to “solving a detective mystery.”
- Third, despite multiple rebrandings and legal setbacks, Memento Labs’ spyware lineage has not died — it has adapted.
As Kaspersky published its indicators of compromise for the threat, researchers warned that the revival of tools from a company once forced into obscurity suggests something more enduring: that in the shadow economy of surveillance tech, obsolescence is rarely permanent.
