The Italian spyware vendor Memento Labs is linked to a sophisticated attack campaign, Operation ForumTroll, that exploited a zero day vulnerability in Google Chrome earlier this year. The campaign deployed malware, including a commercial spyware tool named Dante, against high value Russian targets.
Zero-Day and Spear Phishing
Operation ForumTroll, first uncovered by Kaspersky in March, specifically targeted Russian organizations, including media outlets, universities, research centers, government bodies, and financial institutions.
The attack utilized carefully crafted spear phishing emails that contained well disguised invitations to the "Primakov Readings" forum. Loading the malicious link in any Chromium based web browser was enough to infect the system. The delivery method exploited CVE-2025-2783, a critical sandbox escape zero day flaw in the Chrome browser. Google fixed this vulnerability in late March.
Memento Labs and Hacking Team Legacy
Further analysis of the attack chain revealed that the malware used dates back to at least 2022 and led to the discovery of another commercial spyware tool called Dante.
Memento Labs is the successor to the infamous Hacking Team, a Milan based spyware vendor known for selling its Remote-Control System (RCS) surveillance tool to various governments, including authoritarian regimes, before being breached in 2015. After its acquisition by InTheCyber Group in 2019, the assets were used to form Memento Labs. Due to code similarities with the old Hacking Team RCS malware, Kaspersky attributes the Dante spyware to Memento Labs with high confidence.
The Attack Chain and LeetAgent
Operation ForumTroll begins with a phishing email that uses a personalized, short-lived link. A validator script filters visitors to ensure only targets of interest are compromised.
The zero-day exploit (CVE-2025-2783) is then used to achieve shellcode execution and install a persistent loader. This loader injects a malicious DLL that decrypts the main payload, a modular spyware called LeetAgent.
LeetAgent is a modular spyware capable of keylogging, command execution, file operations, and data theft. It is unique for its use of "leetspeak" in command implementation. In some cases, LeetAgent was observed introducing the Dante spyware.
The Dante spyware is modular, designed to retrieve components from a command and control (C2) server. It includes a self destruct feature: if no communication is received from the C2 server for a specified number of days, the malware deletes itself and all traces of its activity. However, researchers were unable to retrieve any Dante modules, so its full capabilities remain undocumented.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
