Kaspersky Uncovers New Spyware from HackingTeam Successor “Memento Labs” After Years of Silence
The Kaspersky Global Research and Analysis Team (GReAT) has discovered evidence linking Memento Labs, the rebranded successor of the infamous HackingTeam, to a new wave of sophisticated cyberespionage attacks.
The finding emerged from Kaspersky’s investigation into Operation ForumTroll, an Advanced Persistent Threat (APT) campaign exploiting a zero-day vulnerability (CVE-2025-2783) in Google Chrome. The research was unveiled at the Security Analyst Summit 2025, held in Thailand from October 26–29.
According to Kaspersky, the attackers distributed phishing emails disguised as invitations to the Primakov Readings forum, targeting Russian media outlets, educational institutions, and government organizations. The campaign leveraged a custom spyware tool dubbed LeetAgent, notable for its commands written in leetspeak, a rare characteristic among APT malware.
Further analysis revealed that LeetAgent was connected to another, more advanced spyware framework named Dante — a commercial surveillance tool promoted by Memento Labs, the successor to HackingTeam. Kaspersky researchers found overlapping code structures, shared loader mechanisms, and similar anti-analysis features, including VMProtect obfuscation, linking Dante to legacy HackingTeam Remote Control System (RCS) spyware.
> “Uncovering Dante’s origin demanded peeling back layers of heavily obfuscated code, tracing a handful of rare fingerprints across years of malware evolution, and correlating them with a corporate lineage,” said Boris Larin, Principal Security Researcher at Kaspersky GReAT. “Maybe it’s the reason they called it Dante — there’s a hell of a journey for anyone who tries to find its roots.”
Kaspersky traced LeetAgent’s first activity to 2022, noting that the ForumTroll APT group has since conducted multiple targeted attacks in Russia and Belarus. While the group demonstrates strong command of Russian language and cultural nuances, researchers believe its operators are not native speakers.
The LeetAgent infection was initially detected by Kaspersky Next XDR Expert, the company’s advanced detection and response platform.
Full technical details, indicators of compromise (IOCs), and further updates on ForumTroll APT and Dante spyware are available to customers through the Kaspersky Threat Intelligence Portal and on Securelist.com.